Splunk® Phantom App for Splunk

Use the Splunk Phantom App for Splunk to Forward Events

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Phantom App for Splunk. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Troubleshoot event forwarding

If you encounter the following issue, follow these steps for guidance.

Container labels not showing up in Splunk Phantom

With data model and saved search exports, the container label must exist in the server or it does not appear in Splunk Phantom. It is easiest to leave the container label as the default. When you leave the label as the default, the app finds a generic label to use that exists in Splunk Phantom.


Saving a Splunk Data Model Export fails with an error

Saving a data model export in the Splunk Phantom App for Splunk fails with the following error if Splunk Enterprise or Splunk Cloud is configured to use the Free license group: 

Argument "action.script" is not supported by this handler.

Saved searches are disabled on the Splunk Phantom App for Splunk in the Free license group. The minimum license level required for saved search functionality is the Trial license group. You can view you current license level in Splunk Web by selecting Settings > System > Licensing.

Missing data in mapped CEF fields

When a data model or saved search produces a large number of fields, some of the fields may be parsed before the data is passed from the Splunk platform to the Splunk Phantom App for Splunk. Any fields that are removed by the Splunk platform before being passed to the Splunk Phantom App for Splunk are not mapped.

To determine if the Splunk platform is parsing any fields, perform the following tasks:

  1. In Splunk Web, navigate to the Splunk Phantom App for Splunk.
  2. Open the data model or saved search export that is missing a mapped CEF field.
  3. Click Save and Preview.
  4. In the Preview section, look for cases where the Phantom Add-On for Splunk can see the field name and corresponding data, but in the Successfully parsed CEF fields section the mapped CEF field name is missing.

To resolve this issue, reduce the number of fields produced by the data model or saved search by appending the desired fields to the end of the search string. Use the following example for format your search string: 

<Existing Search String> | fields <field1>, <field2>, <field3>, <field4>, <field5>, <field6>
Last modified on 14 January, 2021
PREVIOUS
Create a saved search export to send data to Splunk Phantom 		 

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 2.7.5

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters