https://community.splunk.com/t5/Splunk-SOAR/Phantom-Splunk-App-quot-post-data-quot-action-API-error/m-p/425387#M90 <P>Update to this:</P> <P>I enabled Trace logging in Phantom (Administration &gt; System Health &gt; Debugging), then examined the logs in <STRONG>/var/log/phantom</STRONG> that changed after running the playbook with the <STRONG>post data</STRONG> action.</P> <P>From that I found a log message in the file <STRONG>spawn.log</STRONG> which gave the response to the POST api call. This told me that the <STRONG>post data</STRONG> action is using the "receivers/simple" endpoint behind the scenes. The response (from the log file) indicated a 403 was being thrown ("insufficient permission to access this resource"), which appears to be an issue that can be resolved by adding a capability to a config file (see links below). </P> <P><A href="https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/RESTREF/RESTinput#receivers.2Fsimple">https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/RESTREF/RESTinput#receivers.2Fsimple</A><BR /> <A href="https://answers.splunk.com/answers/338746/posting-to-a-receiver-using-rest-api-giving-insuff.html#answer-338819">https://answers.splunk.com/answers/338746/posting-to-a-receiver-using-rest-api-giving-insuff.html#answer-338819</A></P> Fri, 14 Jun 2019 15:35:50 GMT jamescannalte 2019-06-14T15:35:50Z https://community.splunk.com/t5/Splunk-SOAR/Phantom-Splunk-App-quot-post-data-quot-action-API-error/m-p/425386#M89 <P>I'm attempting to use the "<STRONG>post data</STRONG>" action of the Splunk app in Phantom.</P> <P>I'm fairly certain that I've correctly configured an asset for the app to use because the "Test Connectivity" button works and other actions on the Splunk app, such as "<STRONG>get host events</STRONG>" work fine and succeed.</P> <P>Whenever I try to run the <STRONG>post data</STRONG> action however, the action fails with <STRONG>Message: "Splunk server returned error from API call"</STRONG></P> <P>Is there any way to get more detailed of an error message, i.e. what error the API call returned? Are there logs I can look at somewhere?</P> <P>Thanks for any help / suggestions.</P> Sun, 07 Jun 2020 17:45:13 GMT https://community.splunk.com/t5/Splunk-SOAR/Phantom-Splunk-App-quot-post-data-quot-action-API-error/m-p/425386#M89 jamescannalte 2020-06-07T17:45:13Z https://community.splunk.com/t5/Splunk-SOAR/Phantom-Splunk-App-quot-post-data-quot-action-API-error/m-p/425387#M90 <P>Update to this:</P> <P>I enabled Trace logging in Phantom (Administration &gt; System Health &gt; Debugging), then examined the logs in <STRONG>/var/log/phantom</STRONG> that changed after running the playbook with the <STRONG>post data</STRONG> action.</P> <P>From that I found a log message in the file <STRONG>spawn.log</STRONG> which gave the response to the POST api call. This told me that the <STRONG>post data</STRONG> action is using the "receivers/simple" endpoint behind the scenes. The response (from the log file) indicated a 403 was being thrown ("insufficient permission to access this resource"), which appears to be an issue that can be resolved by adding a capability to a config file (see links below). </P> <P><A href="https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/RESTREF/RESTinput#receivers.2Fsimple">https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/RESTREF/RESTinput#receivers.2Fsimple</A><BR /> <A href="https://answers.splunk.com/answers/338746/posting-to-a-receiver-using-rest-api-giving-insuff.html#answer-338819">https://answers.splunk.com/answers/338746/posting-to-a-receiver-using-rest-api-giving-insuff.html#answer-338819</A></P> Fri, 14 Jun 2019 15:35:50 GMT https://community.splunk.com/t5/Splunk-SOAR/Phantom-Splunk-App-quot-post-data-quot-action-API-error/m-p/425387#M90 jamescannalte 2019-06-14T15:35:50Z