Related Answers
Download topic as PDF
About the Splunk Phantom Remote Search app
Splunk Phantom can use an external Splunk Enterprise or Splunk Cloud instance as the main search engine to search for Splunk Phantom data. To do this, install the Splunk Phantom Remote Search app on your Splunk instance to connect your Splunk instance to your Splunk Phantom instance.
You can use the Splunk Phantom Remote Search app to connect Splunk Phantom and the Splunk platform in the following ways:
- Connect Splunk Phantom to a standalone Splunk platform instance. See Connect to a single Splunk platform instance for instructions.
- Connect Splunk Phantom to a distributed Splunk platform deployment containing one or more search heads, one or more indexers, with or without a search head cluster or indexer cluster. See Connect to a distributed Splunk platform deployment for instructions.
Obtain a Splunk Enterprise license to use the Splunk Phantom Remote Search app
You need a Splunk Enterprise license to use external Splunk Enterprise with Splunk Phantom. If you don't already have a Splunk Enterprise license, work with your delivery team to purchase one.
Version compatibility with Splunk Phantom
The Splunk Phantom Remote Search App is compatible with the following versions of Splunk Phantom:
| Splunk Phantom Remote Search App Version | Splunk Phantom Version |
|---|---|
| 1.0.12 and earlier | 4.6 and earlier |
| 1.0.14 | 4.8 |
Last modified on 17 March, 2020
|
NEXT Connect to a standalone Splunk instance |
Feedback submitted, thanks!