Splunk® Phantom App for Splunk

Use the Splunk Phantom App for Splunk to Forward Events

Splunk Phantom App for Splunk has been replaced by Splunk App for SOAR Export.

Configure a Splunk asset in Splunk Phantom or Splunk SOAR to pull data from the Splunk platform

Create and configure a new asset from the Splunk app on your Splunk Phantom or Splunk SOAR instance to search the Splunk search head and create on poll events that can be pulled from the Splunk platform to Splunk Phantom or Splunk SOAR. On poll events allow the greatest flexibility in terms of defining which events to pull in and when to pull them in. You can use this on poll configuration to get data into Splunk Phantom or Splunk SOAR when you are unable to push events from the Splunk platform to Splunk Phantom or Splunk SOAR.

Perform the following tasks to configure a new Splunk asset in Splunk Phantom or Splunk SOAR:

  1. Log in to your Splunk Phantom or Splunk SOAR instance.
  2. From the main menu, click Apps.
  3. Search for Splunk, then click Configure New Asset in the Splunk app row.
  4. Give the asset a name such as splunkes and also enter a description.
  5. Click the Asset Settings tab.
    1. Add the IP address of your Splunk instance.
    2. Add phantomsearch as the user name and specify a password.
    3. Select the appropriate time zone.
    4. On Splunk Cloud Platform, you must select the Validate Server Certificate checkbox. On Splunk Enterprise, certificate validation is optional.
    5. Enter the query in the Query to use with On Poll field. For example:

      | makeresults | eval src_ip="123.45.66.77"

    6. Enter src_ip, _raw in the Name to give containers created via ingestion field.
  6. Click the Ingest Settings tab and select events as the Label to apply to objects form this source.
  7. Click Save.
  8. Verify the configuration by clicking Asset Settings, and then Test Connectivity. Make sure you get a message indicating a successful test. If you do not, check for a typo in the user name, password, removed permissions, or invalid commands.
  9. Create a poll request to verify that data can be pulled from the Splunk platform into Splunk Phantom.
    1. Click the Ingest Settings tab.
    2. Click Poll Now, verify the default settings, then click Poll Now again.
    3. Verify the response indicates that one container and artifact were created.
    4. Click Close.
    5. From the main menu, select Sources and verify the Test On Poll container and artifact.
Last modified on 08 October, 2021
Verify that data can be pushed from the Splunk platform to Splunk Phantom or Splunk SOAR   Create and export data models and saved searches to send to Splunk Phantom or SOAR Cloud

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.73


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters