topic Re: Forwarding Data between Splunk ES and Phantom in Splunk Enterprise Security

Forwarding Data between Splunk ES and Phantom

rupalekar — Fri, 07 Jun 2019 02:07:21 GMT

I am trying to send data from Splunk ES to Phantom

Version is 7.2.6

After downloading Phantom app from Splunk, within that App, in the forwarding option there are 2 selections:

Under event forwarding tab-->

New Data Model Export
OR
New Saved Search Export

When I select 1st option (New Data Model Export) , it doesn't let me go through unless I fill up "Select Object" section
This 'Select Object' is greyed out/has no drop down options

What is this Select Object knob and where do I create an Object so that it becomes selectable over here?

Re: Forwarding Data between Splunk ES and Phantom

kchamplin_splun — Fri, 07 Jun 2019 03:45:39 GMT

There's documentation here that has pretty solid detail:
https://my.phantom.us/4.2/docs/admin/splunk

However, the TL;DR is, in order to export data via a data model search, you need datamodels defined in your Splunk instance/search head - those datamodels will then have "objects" in them which should "un-grey out" the "select object" field. If you want a quick test, install the Splunk Common Information Model (CIM) app on your Splunk instance. Restart splunk after install and see if the dropdown is still grey'd out.
https://splunkbase.splunk.com/app/1621/