All Apps and Add-ons

Is anyone using external Splunk for there Phantom search settings?

fuzzyb88
New Member

I have not been able to see any of the logs in splunk that we are supposed to. We added the Phantom remote search app to splunk and have it configured, but i am not able to see a connection problem on either side. Wondering if some smart person out there could share a lesson learned.

we are using Phantom 4.5.15922 and Splunk 7.2.6

Thanks
Brian

0 Karma

cblumer_splunk
Splunk Employee
Splunk Employee

The External Splunk Search feature is used widely by Phantom customers in Production.

Can you share any errors your receiving when you run "Test Connection" from the Admin Settings > Search Settings page in the Phantom UI?

https://my.phantom.us/4.6/docs/admin/administration#SearchSettings

0 Karma

fuzzyb88
New Member

The test connection works, but I am not seeing data into Splunk. I have worked with support and they say the errors should be in the wsgi.log, but that has not identified anything so far.

Thanks
Brian

0 Karma

sam_splunk
Splunk Employee
Splunk Employee

Hi fuzzyb88,

To be clear - the Phantom Remote Search App is for the case when you want to use an external Splunk instance to back Phantom, and not the built-in Splunk that comes with the Phantom product. Can you confirm this is your intention?

If so - please provide more details about the steps and configuration you've taken so far.

Best regards
Sam

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...