Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add-on for Phantom Remote search app

VijaySrrie
Builder
‎10-11-2021 06:14 PM

Hi,

I need to install the below add-on, this add-on creates indexes and required roles, we dont want the add-on to control the indexes, so indexes.conf in this add-on is taken out , and we will create the indexes. 

We want 14 indexes to be created, but is it Ok to go with one index and have different sourcetypes?

We do have other configs provided in the add-on, will there be any impact if we go with one index with multiple sourcetypes also during add-on update, will there be any impact?

 

https://splunkbase.splunk.com/app/4153/

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎10-11-2021 08:39 PM

Hi @VijaySrrie 

Phantom SOAR works with indexes provided by this remote search add-on, the index names must all be prefixed with phantom* isn't it?

It's advisable to go with defaults what this add-on provides unless you know what specific features you are after. Technically you can take out all indexes and create separately but i would create all 14 indexes on indexers.

---

An upvote would be appreciated if this reply helps!

 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎10-19-2021 07:36 PM

I am testing this in multicluster sandpit

1. HEC token is created in HF

2. 14 indexes are created in Indexer

3. Roles/users/Splunk app for phantom reporting app is created in Search Head

4. In Phantom end --> HF IP ,Users, HEC token is given

But Test connectivity is failing

vijaysri_0-1634697398723.png

 

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎10-19-2021 08:14 PM

@VijaySrrie  I would suggest to post a new question as this was already closed and topic is different from originally posted on this.

0 Karma
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎10-11-2021 10:21 PM

We have roles -  [role_PhantomDelete] and [role_PhantomSearch]
Can we go ahead and create roles as per our splunk environment?

We have two users - phantomsearchuser and phantomdeleteuser (Can we go with different user ID's as per our user-id creation policy)

1. The index creation should go to masterapps 

2. Have created a new SearchHead app for both the add-ons (Phantom Remote search app  and Splunk App for Phantom reporting )

3. HEC token will go to deployment-apps

4. We have some props.conf and transforms.conf in both the add-ons (where should that go?)

Now, I am stuck with userID creation and role creation.

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎10-11-2021 10:45 PM

if you change users then you should update same phantom product that runs differently, there are dashboard splunk phantom supported apps provide rely on these indexes, you need to change at heaps of places.

I wouldn't do changes unless understand where to update them, it's too difficult when things won't work as this product is relatively new.

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎10-11-2021 08:39 PM

Hi @VijaySrrie 

Phantom SOAR works with indexes provided by this remote search add-on, the index names must all be prefixed with phantom* isn't it?

It's advisable to go with defaults what this add-on provides unless you know what specific features you are after. Technically you can take out all indexes and create separately but i would create all 14 indexes on indexers.

---

An upvote would be appreciated if this reply helps!

 

Tags (1)
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...