Splunk® Phantom App for Splunk

Use the Splunk Phantom App for Splunk to Forward Events

This documentation does not apply to the most recent version of Splunk® Phantom App for Splunk. For documentation on the most recent version, go to the latest release.

Configure global field mappings

Use global field mappings when you have mappings that you want to apply for all your data model and saved search exports. Global field mappings provide consistency in the CEF mappings for events sent to Splunk Phantom, and can also save you time when configuring your data model or saved search exports.

How global field mappings are created

Global field mappings are created when you configure or edit event forwarding. For example:

  1. Configure a new data model or saved search export. See Create a data model export to send data to Splunk Phantom or Create a saved search export to send data to Splunk Phantom.
  2. Configure your desired mappings for the unmapped fields, then click Save Mappings to save the mappings as global field mappings.

The next time you configure a data model or saved search export, any fields that are mapped with global field mappings will appear in the Mapped Fields section. Global field mappings are only applied to new data model or saved search export configurations and not to any existing event forwarding configurations.

Global field mappings are created automatically for Splunk Enterprise Security (ES) notable events.

If you map a field that already exists as a global field mapping, the existing global field mapping is overwritten.

Updating CIM to CEF mappings when accessing the global field mappings for the first time

The first time you access the Global Field Mapping page, the default CIM-to-CEF mappings defined in Splunk Phantom are displayed. Configure and save the desired mappings to use them in your saved searches and data models. The default CIM-to-CEF mappings are not displayed again when you access the Global Field Mapping page any subsequent time.

Forward unmodified data to Splunk Phantom

Delete a global field mapping to send the raw, unmodified data to Splunk Phantom.

Perform the following tasks to delete a global field mapping:

  1. In your Splunk platform instance, access the Splunk Phantom App for Splunk.
  2. Click Configure Global Field Mappings.
  3. Click Delete for the field mapping you want to delete.
  4. Click Delete in the dialog box to confirm that you want to delete the mapping.
Last modified on 14 January, 2021
Create a saved search export to send data to Splunk Phantom   Troubleshoot event forwarding

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 3.0.5, 4.0.10, 4.0.35

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters