Upgrade the Splunk Add-on for Carbon Black
The following upgrade steps provide a directory monitoring approach that ensures that rolled-over JSON files are not unmonitored if your Splunk platform deployment is down for some amount of time.
If your Splunk platform instance has been down, preventing the ingestion of files, switching from file monitoring to directory monitoring could result in a temporary spike in missed data being ingested
Change file monitoring to directory monitoring
- Download and install version 2.0.0 or higher of the Splunk Add-on for Carbon Black.
- Navigate to
$SPLUNK_HOME/etc/apps/Splunk_TA_bit9-carbonblack/local, and openinputs.confin a text editor. - Change the existing monitoring path from
<path_of_the_json_file>to<path_of_the_directory_containing_json_file>. - Add
whitelist = <regex_to_match_json_files>. See theinputs.conf.templatein$SPLUNK_HOME/etc/apps/Splunk_TA_bit9-carbonblack/default/for reference. - Replace <regex_to_match_json_files> with a regular expression, in order to monitor the required JSON files. For example,
.*\.json(\.[\d\-T:\.a-z]*)?will match the following type of filesevent_bridge_output.json.2019-05-13T11:41:28.167.restart, event_bridge_output.json.20190417, event_bridge_output.json. - Save your changes.
- Restart your data collection node.
Last modified on 15 March, 2022
| Install the Splunk Add-on for Carbon Black | Configure your Carbon Black instance to generate and send events to Splunk |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!