Use the Live Query Inputs tab to configure inputs to pull Live Query results using the Carbon Black Cloud APIs.
The Live Query input uses the CBC Live Query API.
Note: Inputs are limited to the first 10,000 results of a Live Query.
| Setting | Description |
|---|---|
| Name | Used to distinguish between inputs. |
| Active | A checkbox enables or disables the input. |
| API Token | The API Key from the API Token Configuration tab to use for the API authorization. For required permissions, see API Data Inputs. |
| Proxy | The proxy configuration, if needed. |
| Lookback | The number of historical days to pull from the API on initial configuration. |
| Index | The Splunk Index in which to store the data.
Note: This value must match value of the
VMware Base Index on the
VMware Base Configuration tab.
|
| Interval | The frequency (in seconds) that the API should poll for data. Range: 60-86400. Default: 300. |
| Result Query | The Carbon Black Cloud-compatible query to limit the Live Query results. The same syntax is used by the Search bar at the top of the Carbon Black Cloud console Live Query > Query Results tab. Example: NOT "Test" AND NOT "Chrome". |
