To enable a Splunk server to import Carbon Black App Control data for analysis, you must make modifications on both the system hosting the Carbon Black App Control Server and the Splunk server. The summary of these steps is as follows:

Note:

Instructions for setting up the Carbon Black App Control App for Splunk also exist on the Splunk web site and might be more recent than those provided here. See: https://splunkbase.splunk.com/app/1790/#/details.