Carbide App for Splunk app icon

Carbide App for Splunk

Know when a host, source or sourcetype stops reporting — before someone asks where the data went. Per-entity gap, latency and volume-drop detection with learned baselines, HA cluster quorum tracking, business-hours schedules, auto-onboarding rules and transition-based alerts. tstats-powered (no raw scans), KV-backed, inline-editable. ES integration included, works without ES.

Built by Ziga Humar
splunk product badge
screenshot
screenshot
screenshot
screenshot

Default Version 1.7.0
July 15, 2026
Compatibility
Splunk Enterprise, Splunk Cloud
Platform Version: 10.5, 10.4, 10.3, 10.2, 10.1, 10.0
CIM Version: 8.x, 6.x, 5.x, 4.x, 3.x
Rating

0

(0)

Log in to rate this app
Support
Carbide App for Splunk support icon
Developer Supported app
Carbide answers one question continuously: is every data source that should be reporting into Splunk actually reporting — on time and in full? Silent feed failures are usually discovered too late: a forwarder dies, an API token expires, a log rotation breaks — and nobody notices until an investigation comes up empty. Carbide watches for exactly that. It discovers what reports into your indexes (per host, source, or sourcetype), lets you choose what matters, and then tracks three things per entity: gap (how long since the last event was generated), ingest latency (delay between event time and index time), and optionally volume (24h event count vs a learned baseline — catching feeds that keep trickling on time while most of the volume is lost). Everything is tstats-powered — discovery and status calculation never scan raw events, and indexer cost scales with your watch list, not the size of your estate. Configuration is inline and bulk-editable: per-entity thresholds with human-friendly durations (7h, 1d, 1w), monitoring schedules (24/7, weekdays, business hours with holiday calendar and Monday-morning grace), maintenance windows, tags, and auto-watch rules that onboard newly discovered entities automatically. Alerts fire once on the transition into a bad state — not repeatedly while it persists. Redundant pools get HA cluster monitoring: group members by tag, set a quorum (e.g. at least 60% must report), and one dead node in a load-balanced farm stays quiet while the redundancy absorbs it — losing quorum is what alerts, with the full list of failing members. Member alerts, the Home dashboard and the pager all tell the same story. For Splunk Enterprise Security users, Carbide ships notable events, risk-based alerting, CIM Alerts data model alignment, asset enrichment, and Incident Review drilldowns to a per-entity detail page — all silently inactive on installs without ES. No license key, no external dependencies, no data model accelerations, no scripted inputs. One dedicated index (you create it), seven KV store collections, and a set of scheduled searches you can read and edit.

Categories

Security, Fraud & Compliance, SIEM

Created By

Ziga Humar

Type

app

Resources

Log in to report this app listing