Splunk® Phantom App for Splunk

Use the Splunk Phantom App for Splunk to Forward Events

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Phantom App for Splunk. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Troubleshoot event forwarding

If you encounter the following issues, follow these steps for guidance.

Container labels not showing up in Splunk Phantom

With data model and saved search exports, the container label must exist in the server or it does not appear in Splunk Phantom. It is easiest to leave the container label as the default. When you leave the label as the default, the app finds a generic label to use that exists in Splunk Phantom.

Saving a Splunk Data Model Export fails with an error

Saving a data model export in the Splunk Phantom App for Splunk fails with the following error if Splunk Enterprise or Splunk Cloud is configured to use the Free license group: 

Argument "action.script" is not supported by this handler.

Saved searches are disabled on the Splunk Phantom App for Splunk in the Free license group. The minimum license level required for saved search functionality is the Trial license group. You can view you current license level in Splunk Web by selecting Settings > System > Licensing.

Last modified on 14 January, 2021
PREVIOUS
Configure global field mappings 		 

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 3.0.5, 4.0.10, 4.0.35

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters