Splunk® Phantom App for Splunk

Install and Upgrade the Splunk Phantom App for Splunk

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Phantom App for Splunk. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Troubleshoot the Splunk Phantom App for Splunk

If you encounter any of the following issues, follow these steps for guidance.

Problems with certificate validation

If you are having difficulty establishing a connection between Splunk Phantom and your Splunk Enterprise instance, you may have seen an error message that looks something like this: 

Failed to communicate with user "" on Phantom server "https://example.com". Error: Httpsconnectionpool(host='example.com', port=443): max retries exceeded with url: /rest/ph_user?include_automation=true&_filter_token__key='<token>' (caused by sslerror(sslerror(1, u'[ssl: certificate_verify_failed] certificate verify failed (_ssl.c:741)'),))

See Provide a valid SSL certificate for the connection between Splunk Phantom and Splunk Enterprise for information on how to fix this issue.

Splunk Enterprise Security Adaptive Response "Send to Phantom" option missing

In the Splunk Phantom App for Splunk version 2.2.6, an Enterprise Security Adaptive Response feature was added so that Splunk platform users can send events directly to Splunk Phantom. If the App Import Update configuration in Splunk Enterprise Security (ES) does not specify Splunk Phantom, the Send to Phantom action is unavailable.

To check if the Splunk ES App Import Update is configured to allow access to the Splunk Phantom App for Splunk, perform the following tasks:

  1. In Splunk Web, click on the Enterprise Security app.
  2. In Splunk ES, select Configure > General > App Imports Update.
  3. In the App Import "update_es", verify that the Application Regular Expression field includes |(phantom). For example: 
    (appsbrowser)|(search)|([ST]A-.)|(Splunk_[ST]A_.)|(DA-ESS-.)|(Splunk_DA-ESS_.)|(phantom)

If you are unable to locate the configuration page, you can find the App Imports Update configurations in the following location: 

https://<hostname_or_ip>:<splunk_port>/en-US/manager/SplunkEnterpriseSecuritySuite/data/inputs/app_imports_update

Error assigning the automation role to a user

If you are using the Automation role in Splunk Phantom and get an error, try entering "any" in the allowed IPs field. Once you establish communication between Splunk Phantom and your Splunk platform instance, change the allowed IPs to the IP address or IP range for the Splunk platform instance.

Error adding a label using Splunk Enterprise Security

To see if an error occurred when you added a label, run the following search:

index=cim_modactions sourcetype="modular_alerts:phantom_forward" ERROR

The Splunk Phantom server configuration cannot be added to the Splunk Phantom App for Splunk

In some cases, the Splunk Phantom App for Splunk server configuration and searches may display an error message such as the following in $SPLUNK_HOME/var/log/splunk/python.log: 

Error talking to splunk: GET /servicesNS/nobody/phantom/configs/conf-phantom: 
[HTTP 403] Client is not authorized to perform requested action;

The capabilities of phantom_read, phantom_write, and admin_all_objects may no longer be applied by default to the Splunk role during the Splunk Phantom App for Splunk installation. Without these capabilities, the Splunk Phantom App for Splunk is not able to read or write the REST API key of the Splunk Phantom instance.

To resolve the issue, add the Splunk Phantom role to whichever role is in use by the Splunk Phantom App for Splunk.

If you are using release 2.5.2 or earlier of the Splunk Phantom App for Splunk, perform the following steps:

  1. In Splunk Web, navigate to Settings > Access Controls.
  2. Click Roles.
  3. Click the phantom role.
  4. In the Capabilities section, from the Available capabilities column, click admin_all_objects, phantom_read, phantom_write, and list_storage_passwords to add them to Selected capabilities.
  5. Click Save.

If you are using release 2.5.23 or later of the Phantom App for Splunk, perform the following tasks:

  1. In Splunk Web, navigate to Settings > Access Controls.
  2. Click Users.
  3. Click the name in use by the Splunk Phantom App for Splunk, such as Admin.
  4. In the Assign to roles section, from the Available item(s) column, click phantom to add it to Selected item(s).
  5. Click Save.

If you are configuring a Splunk Phantom cluster, configure the cluster before configuring the Splunk Phantom App for Splunk. Any configuration or information on a stand-alone Splunk Phantom instance is erased when the instance is joined to an existing cluster. See Create a Splunk Phantom Cluster in the Install and Upgrade Splunk Phantom manual.

Last modified on 13 May, 2021
PREVIOUS
Upgrade the Splunk Phantom App for Splunk 		 

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 2.7.5, 3.0.5, 4.0.10, 4.0.35

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters