Splunk® Phantom (Legacy)

Administer Splunk Phantom

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Configure search in Splunk Phantom

Splunk Phantom uses an embedded, preconfigured version of Splunk Enterprise as its native search engine. Your organization might want to use a different Splunk Enterprise deployment with Splunk Phantom or use an external Elasticsearch instance.

Configure Splunk Phantom to use an external Splunk Enterprise or Splunk Cloud Platform instance for search

This table summarizes the available options for configuring a Splunk Enterprise or Splunk Cloud Platform instance for search in Splunk Phantom.

Search Option Description
Embedded Splunk Enterprise Instance This is the default. No additional configuration is required.
External Standalone Splunk Enterprise Instance Use this option to connect your Splunk Phantom instance or cluster to a single, external instance of Splunk Enterprise or Splunk Cloud Platform.


This option requires the Splunk Phantom Remote Search app.

  1. See About the Splunk Phantom Remote Search app in the Splunk Phantom Remote Search manual to verify version compatibility and requirements.
  2. See Connect to a standalone Splunk instance in the Splunk Phantom Remote Search manual for instructions.
External Distributed Splunk Enterprise Instance Use this option to connect your Splunk Phantom instance or cluster to a Splunk Enterprise or Splunk Cloud Platform deployment that contains one or more search heads, or one or more indexers with or without a search head cluster or indexer cluster.


This option requires the Splunk Phantom Remote Search app.

  1. See About the Splunk Phantom Remote Search app in the Splunk Phantom Remote Search manual to verify version compatibility and requirements.
  2. See Connect to a distributed Splunk platform deployment in the Splunk Phantom Remote Search manual for instructions.

Clustered deployments of Splunk Phantom require an external Splunk Enterprise, as either a single instance or a distributed deployment, or a Splunk Cloud Platform deployment.

Integrating with Splunk Cloud Platform requires the following additional information and actions:

  • You must use a public certificate from a verified or trusted certificate authority (CA).
  • You must contact Splunk Customer Support for assistance with Splunk Cloud Platform integration. You will need to provide the path to your certificate and your CA.
  • You must enable certificate verification on your Splunk Phantom assets.

Splunk Phantom also provides support for an external Elasticsearch instance for single-instance deployments of Splunk Phantom. Clustered deployments of Splunk Phantom cannot use Elasticsearch as their search endpoint. See Configure Splunk Phantom to use an external Elasticsearch instance

Configure Splunk Phantom to use an external Elasticsearch instance for search

When you configure Splunk Phantom to use an external instance of Elasticsearch, a copy of all indexed and searchable data is sent to the Elasticsearch instance. The embedded Splunk Enterprise remains active and is used as the search provider for searches in the Splunk Phantom web interface.

Verify the following requirements before configuring the external Elasticsearch instance:

  • If you are using SSL to secure your connection to the Elasticsearch instance, the SSL certificate is imported to the Splunk Phantom certificate store.
  • You know the host name and port for the Elasticsearch instance.
  • You know the username and password of an Elasticsearch user account, or the client certificate and client key.

Perform the following tasks to connect to an external Elasticsearch instance:

  1. From the main menu in Splunk Phantom, select Administration.
  2. Click Administration Settings.
  3. Click Search Settings.
  4. From Search Endpoint, select the radio button for External Elasticsearch Instance.
  5. Select the Use SSL check box to enable SSL.
  6. If your Elasticsearch instance is version 6 or newer, select the Use one index per section check box.
  7. Type the host name in the Host field.
  8. Type the port number in the Port field.
  9. Choose your authentication method, either basic authentication with a username and password, or a client certificate.
  10. If you are using basic authentication with a username and password:
    1. Type the username of the authorized Elasticsearch account in the Username field.
    2. Type the password of the authorized Elasticsearch account in the Password field.
  11. If you are using certificate-based authentication, select the Client Authentication check box.
    1. Type the path to the client certificate in the Client Certificate field. This certificate is often a file with the .pem extension.
    2. Type the path the to client key in the Client Key field. This key is often a file with the .key extension.
  12. Test the connection to your Elasticsearch instance by clicking Test Connection.
  13. When you are finished, click Save Changes.

If you want to use a client certificate to connect to your Elasticsearch instance, provide the paths on the Splunk Phantom instance's operating system to the public and private keys. The private key, often a file with the .pem extension, is the Client Certificate. The public key, often a file with the .key extension, is the Client Key. Both files must be readable by the nginx user. You can store the files in the nginx user's home directory, /var/cache/nginx.

Reindex data to make newly added information searchable

There are some situations where data coming in to Splunk Phantom can't be indexed, and therefore can't be searched. You can reindex information sections to make this information searchable. See Reindex data to make newly added information searchable in the Splunk Phantom Remote Search manual.

Last modified on 28 June, 2021
PREVIOUS
Customize email templates in Splunk Phantom 		  NEXT
Configure Google Maps for visual geolocation data

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters