Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add-on for Phantom Remote search app

VijaySrrie
Builder
‎10-11-2021 06:14 PM

Hi,

I need to install the below add-on, this add-on creates indexes and required roles, we dont want the add-on to control the indexes, so indexes.conf in this add-on is taken out , and we will create the indexes. 

We want 14 indexes to be created, but is it Ok to go with one index and have different sourcetypes?

We do have other configs provided in the add-on, will there be any impact if we go with one index with multiple sourcetypes also during add-on update, will there be any impact?

 

https://splunkbase.splunk.com/app/4153/

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎10-11-2021 08:39 PM

Hi @VijaySrrie 

Phantom SOAR works with indexes provided by this remote search add-on, the index names must all be prefixed with phantom* isn't it?

It's advisable to go with defaults what this add-on provides unless you know what specific features you are after. Technically you can take out all indexes and create separately but i would create all 14 indexes on indexers.

---

An upvote would be appreciated if this reply helps!

 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎10-19-2021 07:36 PM

I am testing this in multicluster sandpit

1. HEC token is created in HF

2. 14 indexes are created in Indexer

3. Roles/users/Splunk app for phantom reporting app is created in Search Head

4. In Phantom end --> HF IP ,Users, HEC token is given

But Test connectivity is failing

vijaysri_0-1634697398723.png

 

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎10-19-2021 08:14 PM

@VijaySrrie  I would suggest to post a new question as this was already closed and topic is different from originally posted on this.

0 Karma
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎10-11-2021 10:21 PM

We have roles -  [role_PhantomDelete] and [role_PhantomSearch]
Can we go ahead and create roles as per our splunk environment?

We have two users - phantomsearchuser and phantomdeleteuser (Can we go with different user ID's as per our user-id creation policy)

1. The index creation should go to masterapps 

2. Have created a new SearchHead app for both the add-ons (Phantom Remote search app  and Splunk App for Phantom reporting )

3. HEC token will go to deployment-apps

4. We have some props.conf and transforms.conf in both the add-ons (where should that go?)

Now, I am stuck with userID creation and role creation.

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎10-11-2021 10:45 PM

if you change users then you should update same phantom product that runs differently, there are dashboard splunk phantom supported apps provide rely on these indexes, you need to change at heaps of places.

I wouldn't do changes unless understand where to update them, it's too difficult when things won't work as this product is relatively new.

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎10-11-2021 08:39 PM

Hi @VijaySrrie 

Phantom SOAR works with indexes provided by this remote search add-on, the index names must all be prefixed with phantom* isn't it?

It's advisable to go with defaults what this add-on provides unless you know what specific features you are after. Technically you can take out all indexes and create separately but i would create all 14 indexes on indexers.

---

An upvote would be appreciated if this reply helps!

 

Tags (1)
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...