Splunk® Phantom App for Splunk

Use the Splunk Phantom App for Splunk to Forward Events

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Phantom App for Splunk. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

About the Splunk Phantom Add-on for Splunk

Splunk Phantom can use the Splunk platform as a source of data by ingesting events. The Splunk Phantom App for Splunk is required to configure Splunk Enterprise or Splunk Cloud as a data source for Splunk Phantom.

This diagram shows how the Phantom App for Splunk translates CIM data from the Splunk platform to CEF data for Splunk Phantom.

The Splunk Phantom App for Splunk is installed as an app on the Splunk platform and forwards events to Splunk Phantom. The Splunk platform environment consists of raw events or Common Information Model (CIM) data, while Splunk Phantom uses the Common Event Format (CEF). The Splunk Phantom App for Splunk acts as a translation service between the Splunk platform and Splunk Phantom by performing the following tasks:

  • Mapping fields from Splunk platform alerts, such as saved searches and data models, to CEF fields.
  • Translating CIM fields from Splunk Enterprise Security (ES) notables to CEF fields.
  • Forwarding events in CEF format to Splunk Phantom, which are stored as artifacts.
Last modified on 13 January, 2021
  NEXT
Differences between data models and saved searches

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 2.7.5, 3.0.5, 4.0.10, 4.0.35


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters