About the Splunk Phantom Remote Search app
Splunk Phantom and Splunk SOAR can use an external Splunk Enterprise or Splunk Cloud Platform instance as the main search engine to search for Splunk Phantom or Splunk SOAR data. To do this, install the Splunk Phantom Remote Search app on your Splunk instance to connect your Splunk instance to your Splunk Phantom or Splunk SOAR instance.
You can use the Splunk Phantom Remote Search app to connect Splunk Phantom or Splunk SOAR to the Splunk platform in the following ways:
- Connect Splunk Phantom or Splunk SOAR to a standalone Splunk platform instance. See Connect to a single Splunk platform instance for instructions.
- Connect Splunk Phantom or Splunk SOAR to a distributed Splunk platform deployment containing one or more search heads, one or more indexers, with or without a search head cluster or indexer cluster. See Connect to a distributed Splunk platform deployment for instructions.
New features and enhancements in this release
This release of the Splunk Phantom Remote Search app includes the following enhancements and updates:
- You can add Splunk Phantom or Splunk SOAR indexes to the Splunk platform by defining a custom prefix for the index. Each Splunk Phantom or Splunk SOAR instance can have its own custom prefix. See Define a custom index per Splunk Phantom instance in Administer Splunk Phantom.
phantom_custom_functionindex is added to enable custom functions to be searchable. See Add custom code to your Splunk Phantom playbook with the custom function block in Build Playbooks with the Visual Editor for more information about custom functions.
Obtain a Splunk Enterprise license to use the Splunk Phantom Remote Search app
You need a Splunk Enterprise license to use external Splunk Enterprise with Splunk Phantom or Splunk SOAR. If you don't already have a Splunk Enterprise license, work with your delivery team to purchase one.
Version compatibility with Splunk Phantom
The Splunk Phantom Remote Search App is compatible with specific Splunk Phantom and Splunk platform combinations.
Splunk Cloud Platform
Verify you have one of the following Splunk Phantom and Splunk Cloud Platform combinations:
|Splunk Phantom Remote Search App Version||Splunk Cloud Platform Version||Splunk Phantom Version|
|1.0.17||8.2.2111||Splunk SOAR (On-premises) 5.1.0 or higher|
|8.2.2109||Splunk SOAR (On-premises) 5.0.1 or higher|
|8.2.2107||Splunk SOAR (On-premises) 5.0.1 or higher|
|8.2.2106||184.108.40.206640 or higher|
|8.2.2105||220.127.116.11789 or higher|
|8.1.2103||18.104.22.168064 or higher|
|1.0.14||8.0.6, 8.0.x later than 8.0.6||4.8.x, 4.9.x|
Verify you have one of the following Splunk Phantom and Splunk Enterprise combinations:
|Splunk Phantom Remote Search App Version||Splunk Enterprise Version||Splunk Phantom Version|
|1.0.17||8.2.4||Splunk SOAR (On-premises) 5.3.1|
|8.2.0–8.2.3||4.10.4–4.10.x, Splunk SOAR (On-premises) 5.2.1, 5.3.1|
|8.0.6, 8.0.x later than 8.0.6||4.10.x|
|7.3, 7.3.x||4.8.x, 4.9.x|
|7.2, 7.2.x||4.8.x, 4.9.x|
Install and upgrade the Splunk Phantom Remote Search app
This documentation applies to the following versions of Splunk® Phantom Remote Search: 1.0.17