Splunk® Phantom (Legacy)

Use Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Search within Splunk Phantom

Splunk Phantom includes an embedded copy of Splunk Enterprise for searching data in the Splunk Phantom instance. You can also configure search using an external instance of Splunk Enterprise or external Elastic Search. For more information, see Configure search in Splunk Phantom in the Administer Splunk Phantom manual.

The search terms appear as part of the URL in the address bar, so you can create a bookmark using the search terms. For example:

Each time the page loads, the search results might vary as changes in Splunk Phantom occur between page visits.

When no filters are selected, an implied ALL condition applies to the search. Use the filters such as Containers, Artifacts, or Actions to narrow your search results. When filters are selected, any categories not selected are excluded from the search.

By default, the search returns 10 results per page. Use the menu to view a maximum of 100 results per page.

Searching with multiple words creates an implied ALL condition. For example, the term data path returns results containing both data and path. Use OR to find results containing either data or path, as shown in the following example:

This screen image shows the term data path entered into the search field and a list of results. The elements on this page are described in the text immediately following this image.

The search directives in Splunk Phantom are limited to a small subset of the Splunk Processing Language (SPL). If you're using an external Splunk Enterprise instance as your Phantom search engine, you can use all of the Splunk Enterprise features through the interface on that instance. For more information, see Understanding SPL syntax in the Splunk Enterprise Search Reference manual.

The basic boolean operators are AND, OR, and NOT. Use parentheses to group terms and build more complex boolean searches.

The NOT operator excludes an entire object from appearing in the search results, even if other terms do match within that object.

Include quotes for an exact phrase. For example, you can usedata AND path to explicitly search for objects with both data and path, but you can also use "data path" with quotes to search for that exact phrase. The query returns the word data followed by whitespace followed by the exact word path.

Search works on whole words, which are strings of non-special characters without whitespace. For example, searching for data finds one set of results, while searching for dat finds different ones, unless the object happens to contain both the words data and dat.

Use wildcards to search for partial words. A single asterisk matches any number of characters. For example, searching for dat* matches either data or dat or any words starting with the characters dat, such as date.

Last modified on 24 January, 2020
View and create notes in Splunk Phantom   View the list of configured playbooks in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters