Search within Splunk Phantom
Splunk Phantom includes an embedded copy of Splunk Enterprise for searching data in the Splunk Phantom instance. You can also configure search using an external instance of Splunk Enterprise or external Elastic Search. For more information, see Configure search in Splunk Phantom in the Administer Splunk Phantom manual.
The search terms appear as part of the URL in the address bar, so you can create a bookmark using the search terms. For example:
Each time the page loads, the search results might vary as changes in Splunk Phantom occur between page visits.
When no filters are selected, an implied ALL condition applies to the search. Use the filters such as Containers, Artifacts, or Actions to narrow your search results. When filters are selected, any categories not selected are excluded from the search.
By default, the search returns 10 results per page. Use the menu to view a maximum of 100 results per page.
Searching with multiple words creates an implied ALL condition. For example, the term
data path returns results containing both
OR to find results containing either
path, as shown in the following example:
The search directives in Splunk Phantom are limited to a small subset of the Splunk Processing Language (SPL). If you're using an external Splunk Enterprise instance as your Phantom search engine, you can use all of the Splunk Enterprise features through the interface on that instance. For more information, see Understanding SPL syntax in the Splunk Enterprise Search Reference manual.
The basic boolean operators are AND, OR, and NOT. Use parentheses to group terms and build more complex boolean searches.
The NOT operator excludes an entire object from appearing in the search results, even if other terms do match within that object.
Include quotes for an exact phrase. For example, you can use
path to explicitly search for objects with both data and path, but you can also use
"data path" with quotes to search for that exact phrase. The query returns the word
data followed by whitespace followed by the exact word
Search works on whole words, which are strings of non-special characters without whitespace. For example, searching for
data finds one set of results, while searching for
dat finds different ones, unless the object happens to contain both the words
Use wildcards to search for partial words. A single asterisk matches any number of characters. For example, searching for
dat* matches either
dat or any words starting with the characters
dat, such as
View and create notes in Splunk Phantom
View the list of configured playbooks in Splunk Phantom
This documentation applies to the following versions of Splunk® Phantom: 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7