Hi guys,
In the license page for the Splunk Phantom , What is the difference between the "PHANTOM LICENSE INFORMATION" & "SPLUNK LICENSE INFORMATION". I assume the "SPLUNK LICENSE INFORMATION" is about the amount of data that we can fetch from Splunk Enterprise and and ingest into the Splunk Phantom.
Am I correct?
Hi,
From what I understand:
The Phantom one is your license for the Phantom itself.
The Splunk one is for the included Splunk Enterprise install. You can find it at $PHANTOM_HOME/splunk/
From the documentation:
If Splunk SOAR (On-premises) is installed as a stand-alone product, it includes a version of Splunk Enterprise as the internal search engine. You can also configure Splunk SOAR (On-premises) to use an external Splunk instance for searching. A Splunk SOAR (On-premises) cluster also requires an external Splunk Enterprise instance.
You can find more here https://docs.splunk.com/Documentation/SOARonprem/6.0.0/Install/ExternalSplunk
smurf