Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

This documentation does not apply to the most recent version of Splunk® App for SOAR Export. For documentation on the most recent version, go to the latest release.

Troubleshooting and tips for Splunk App for SOAR Export

Troubleshooting

If you encounter the following issues, follow these steps for guidance.

Problems with certificate validation

If you are having difficulty establishing a connection between Splunk SOAR and your Splunk Enterprise instance, you may have seen an error message that looks something like this:

Failed to communicate with user "" on SOAR server "https://example.com". Error: Httpsconnectionpool(host='example.com', port=443): max retries exceeded with url: /rest/ph_user?include_automation=true&_filter_token__key='<token>' (caused by sslerror(sslerror(1, u'[ssl: certificate_verify_failed] certificate verify failed (_ssl.c:741)'),)) 

See Provide a valid SSL certificate for the connection between Splunk SOAR and Splunk Enterprise for information on how to fix this issue.

Error assigning the automation role to a user

If you are using the Automation role in Splunk SOAR and get an error, try entering "any" in the allowed IPs field. Once you establish communication between Splunk SOAR and your Splunk platform instance, change the allowed IPs to the IP address or IP range for the Splunk platform instance.

Error adding a label using Splunk Enterprise Security

To see if an error occurred when you added a label, run the following search:

index=cim_modactions sourcetype="modular_alerts:phantom_forward" ERROR

The Splunk SOAR server configuration cannot be added to Splunk App for SOAR Export

In some cases, the Splunk App for SOAR Export server configuration and searches may display an error message such as the following in $SPLUNK_HOME/var/log/splunk/python.log:

Error talking to splunk: GET /servicesNS/nobody/phantom/configs/conf-phantom: 
[HTTP 403] Client is not authorized to perform requested action; 

The capabilities of phantom_read, phantom_write, and admin_all_objects may no longer be applied by default to a non-admin Splunk role during the Splunk App for SOAR Export installation. Without these capabilities, Splunk App for SOAR Export is not able to read or write the REST API key of the Splunk SOAR instance.

To resolve the issue, follow these steps to add the Splunk phantom role to whichever role is in use by Splunk App for SOAR Export.

  1. In Splunk Web, navigate to Settings, then Access Controls.
  2. Select Users.
  3. Select the name in use by Splunk App for SOAR Export, such as User15.
  4. In the Assign to roles section, from the Available item(s) column, select phantom to add it to Selected item(s).
  5. Select Save.

If you are configuring a Splunk SOAR (On-premises) cluster, configure the cluster before configuring Splunk App for SOAR Export. Any configuration or information on a stand-alone Splunk SOAR instance is erased when the instance is joined to an existing cluster. See Create a Splunk SOAR (On-premises) Cluster in the Install and Upgrade Splunk SOAR (On-premises) manual.

Container labels not showing up in Splunk SOAR

With data model and saved search exports, the container label must exist in the server or it does not appear in Splunk SOAR. It is easiest to leave the container label as the default. When you leave the label as the default, the app finds a generic label to use that exists in Splunk SOAR.

Saving a Splunk Data Model Export fails with an error

Saving a data model export in Splunk App for SOAR Export fails with the following error if Splunk Enterprise or Splunk Cloud Platform is configured to use the Free license group:

Argument "action.script" is not supported by this handler.

Saved searches are disabled on Splunk App for SOAR Export in the Free license group. The minimum license level required for saved search functionality is the Trial license group. You can view your current license level in Splunk Web by selecting Settings > System > Licensing.

Tips

Server configuration that does not always use a proxy

If you want a server configuration to use a proxy some times, but not others, follow these steps:

  1. In Splunk SOAR, create multiple automation users. For details, see
  2. In Splunk App for SOAR Export, set up one to have a proxy setting. For details, see Connect the Splunk App for SOAR Export and the Splunk Platform to Splunk SOAR.
Last modified on 03 September, 2024
 

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.135, 4.2.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters