Splunk® Phantom Remote Search

Splunk Phantom Remote Search

Download manual as PDF

Download topic as PDF

Connect to a standalone Splunk instance

Follow the steps listed to connect your Splunk Phantom instance or cluster to a standalone external Splunk instance or Splunk Cloud deployment.

  1. Set up the HTTP Event Collector on the Splunk platform.
  2. Create the required user accounts on the Splunk instance for Splunk Phantom.
  3. Configure Splunk Phantom to use an external Splunk instance.

Set up the HTTP Event Collector on the standalone Splunk platform instance

Enable the HTTP Event Collector (HEC) on the Splunk platform and create a new token so you can use the HEC. Repeat these tasks on other indexers if those other indexers require separate HEC tokens. See Scale HTTP Event Collector with distributed deployments in the Splunk Enterprise Getting Data In manual for more information.

Follow the instructions for your Splunk Enterprise or Splunk Cloud deployment:

Deployment Type Documentation
Distributed Splunk Enterprise See Configure HTTP Event Collector on Splunk Enterprise for instructions.
Self-Service Splunk Cloud Configure HTTP Event Collector on self-service Splunk Cloud for instructions.
Managed Splunk Cloud Configure HTTP Event Collector on managed Splunk Cloud for instructions.

During the procedure, do not click the Enable indexer acknowledgment checkbox when creating an Event Collector token. HTTP Event Collector indexer acknowledgement is not supported. See About HTTP Event Collector Indexer Acknowledgement for information about how to disable indexer acknowledgement if you have enabled it.

When you are creating the new token, you must select all of the phantom_ indexes and move them to the Selected item(s) list. Then, select the index you want to use as the default index, such as phantom_app. The following screenshot shows an example.

This screenshot shows the Input Settings page when adding a new token for a data input on the Splunk platform. The Index field is highlighted, showing a series of index names starting with "phantom_" that are moved from the Available items column to the Selected items column.

On the HTTP Event Collector page, copy the token value for the new token. You will need this value when you configure Splunk Phantom. If you don't copy it now, you can return to the HTTP Event Collector page to obtain the value later when you need it.

Create the required user accounts on the standalone Splunk instance or Splunk Cloud deployment for Splunk Phantom

Splunk Phantom requires two user accounts with roles added by the Phantom Remote Search app. The roles are ​phantomsearch​ and ​phantomdelete​. You can use any user names you like for these accounts. These instructions use ​phantomsearchuser​ and ​phantomdeleteuser as examples​.

Create these accounts on a search head.

  1. In Splunk Web, select ​Settings​ > ​Access Controls.
  2. Create the user account with the phantomsearch role:
    1. Click Users.
    2. Click ​New User​.
    3. Type ​phantomsearchuser​ in the ​Name field​.
    4. Set and confirm a password for this user which complies with your organization's security policies.
    5. Under ​Assigned role(s)​, in the ​Selected item(s)​ box, select ​user​ to remove that role.
    6. Under ​Assigned role(s)​, in the ​Available item(s)​ box, select ​phantomsearch​ to add that role.
    7. Deselect the ​Require password change on first login​ check box.
    8. Click Save.
  3. Create the user account with the phantomdelete role:
    1. Click New User.
    2. Type ​phantomdeleteuser​ in the ​Name field​.
    3. Set and confirm a password for this user which complies with your organization's security policies.
    4. Under ​Assigned role(s)​, in the ​Selected item(s)​ box, select ​user​ to remove that role.
    5. Under ​Assigned role(s)​, in the ​Available item(s)​ box, select ​phantomdelete​ to add that role.
    6. Deselect the ​Require password change on first login​ check box.
    7. Click Save.

Configure Splunk Phantom to use an external Splunk instance or Splunk Cloud deployment

After the Splunk Phantom Remote Search app is installed and the required user accounts are created, configure Splunk Phantom to use the external Splunk instance or Splunk Cloud deployment.

Verify that you have required information before adding the external Splunk instance or Splunk Cloud Deployment

Before proceeding, verify that you have the following:

  • The host name and the REST API port number of your Splunk instance or Splunk Cloud deployment.
  • The HTTP Event Collector token
  • The user names and passwords for the user accounts with the ​phantomsearch​ and ​phantomdelete​ roles.

Add the external Splunk instance

Perform the following tasks to add the external Splunk Enterprise instance os Splunk Cloud deployment.

  1. Log in to Splunk Phantom as an administrative user.
  2. From the ​main menu​, select ​Administration​.
  3. Select Administration Settings​.
  4. Select Search Settings​.
  5. In the Search Endpoint field​, select the radio button for External Splunk Enterprise Instance​.
    1. In the Enable Splunk Search Endpoint section, type the host name of your Splunk instance in the ​Host​ field.
    2. In the User with Search Privileges field, type the user name and password for the user account with the ​phantomsearch​ role in the ​Username​ and ​Password​ fields.
    3. In the User with Delete Privileges field, type the user name and password for the user account with the ​phantomdelete role in the ​Username​ and ​Password​ fields.
    4. Type the port number that the Splunk Enterprise instance or Splunk Cloud deployment uses to listen for REST API calls in the REST Port​ field.
    5. Select the ​Use SSL for REST​ checkbox to enable SSL for REST API calls.
    6. Select the Verify Certificate for REST checkbox to enable SSL certificate verification.
    7. Type the port number for the HTTP Event Collector on the Splunk instance in the ​HTTP Event Collector Port​ field.
    8. Select the ​Use SSL for HTTP Event Collector​ checkbox to enable SSL for the HTTP Event Collector.
    9. Select the Verify Certificate for HTTP Event Collector checkbox to enable SSL certificate verification.
    10. Paste the HTTP Event Collector token in the ​HTTP Event Collector Token​ field.
    11. Click Test Connection to verify the connection to your Splunk Enterprise instance or Splunk Cloud deployment.
  6. Click ​Save Changes.
Last modified on 20 August, 2020
PREVIOUS
Install and upgrade the Splunk Phantom Remote Search app
  NEXT
Connect to a distributed Splunk platform deployment

This documentation applies to the following versions of Splunk® Phantom Remote Search: 1.0.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters