The Splunk App for Carbon Black App Control allows Splunk to interpret data provided by Carbon Black App Control so that it can be analyzed and displayed by Splunk.

Prerequisites

Before you install the Splunk App, set up the Splunk Server to receive forwarder data on port 9997. See Set up the Splunk Server to Receive Splunk Universal Forwarder Messages.

Procedure

1. Log into the Splunk server as an administrator-level user.
2. Search for “App Control” through the Find Apps Online feature in the Splunk console, and when you find the Carbon Black App Control App for Splunk, download it to a convenient location on the server.
3. In the menu bar at the top of the Splunk console, click Apps > Manage Apps.
4. Install the App from its zip file:
   1. Click on Install app from file and in the Upload an app dialog, browse to the cb-protection-app-for-splunk_20.tar.gz file.
   2. Click Upload. The file name, especially the numbers at the end, varies with version changes.

What to do next

If you have Splunk indexers that are not on the machine running the Splunkweb, also install the Splunk App for Carbon Black App Control on the machines hosting these indexers. The procedure for this is the same as for installing the app on the Splunk Forwarder.

Next step: Install the Splunk Forwarder on the Carbon Black App Control Server