https://community.splunk.com/t5/Splunk-SOAR/Splunk-Phantom/m-p/438596#M132 <P>Utilizing a Saved Search for the Phantom App for Splunk including a " | table _time, host, source, sourcetype, Source_IP" portion at the end of the SPL query should allow you to forward events including that field.</P> <P>example:<BR /> <STRONG><CODE>notable</CODE> search_name = “name of notable” | table orig_time, orig_source, src, dest</STRONG></P> <UL> <LI>Event (Saved Search) Forwarding</LI> </UL> <OL> <LI>On the Event Forwarding screen, select ‘New Saved Search Export’. The following configuration dialog will display. Fill this out as follows:</LI> </OL> <P><IMG src="https://community.splunk.com/storage/temp/274528-picture1.png" alt="alt text" /></P> <OL> <LI> ## If you’ve formatted your Splunk search output with something like the ‘table’ command, you can easily display those fields by clicking the “Auto-Extract Fields” button. This will display them below and allow you to map them to their CEF counterparts. Mapping is important as it will give some fields contextual association with actions inside of Phantom. Note: Clicking on the “Auto-Extract Fields” button more than once will duplicate the mapped fields, check for duplicates before saving.</LI> </OL> Wed, 30 Sep 2020 02:00:15 GMT cblumer_splunk 2020-09-30T02:00:15Z https://community.splunk.com/t5/Splunk-SOAR/Splunk-Phantom/m-p/438595#M131 <P>Using Splunk Phantomm app and trying to export saved data model filds that are INHERITED parsed and can be forwared<BR /> but EXTRACTED field can not be parsed and send to phantom. EX <BR /> "_time",host,source,sourcetype,"Source_Ip"<BR /> "2019-03-13T00:39:19.000+0200","192.168.0.1",Mikrotik,syslog,"128.201.66.155"</P> <P>Source ip is parsed in datamodel but could not parse and send thru phantom app</P> Tue, 29 Sep 2020 23:41:22 GMT https://community.splunk.com/t5/Splunk-SOAR/Splunk-Phantom/m-p/438595#M131 borisk95 2020-09-29T23:41:22Z https://community.splunk.com/t5/Splunk-SOAR/Splunk-Phantom/m-p/438596#M132 <P>Utilizing a Saved Search for the Phantom App for Splunk including a " | table _time, host, source, sourcetype, Source_IP" portion at the end of the SPL query should allow you to forward events including that field.</P> <P>example:<BR /> <STRONG><CODE>notable</CODE> search_name = “name of notable” | table orig_time, orig_source, src, dest</STRONG></P> <UL> <LI>Event (Saved Search) Forwarding</LI> </UL> <OL> <LI>On the Event Forwarding screen, select ‘New Saved Search Export’. The following configuration dialog will display. Fill this out as follows:</LI> </OL> <P><IMG src="https://community.splunk.com/storage/temp/274528-picture1.png" alt="alt text" /></P> <OL> <LI> ## If you’ve formatted your Splunk search output with something like the ‘table’ command, you can easily display those fields by clicking the “Auto-Extract Fields” button. This will display them below and allow you to map them to their CEF counterparts. Mapping is important as it will give some fields contextual association with actions inside of Phantom. Note: Clicking on the “Auto-Extract Fields” button more than once will duplicate the mapped fields, check for duplicates before saving.</LI> </OL> Wed, 30 Sep 2020 02:00:15 GMT https://community.splunk.com/t5/Splunk-SOAR/Splunk-Phantom/m-p/438596#M132 cblumer_splunk 2020-09-30T02:00:15Z