Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add-on for Phantom Remote search app

VijaySrrie
Builder
‎10-11-2021 06:14 PM

Hi,

I need to install the below add-on, this add-on creates indexes and required roles, we dont want the add-on to control the indexes, so indexes.conf in this add-on is taken out , and we will create the indexes. 

We want 14 indexes to be created, but is it Ok to go with one index and have different sourcetypes?

We do have other configs provided in the add-on, will there be any impact if we go with one index with multiple sourcetypes also during add-on update, will there be any impact?

 

https://splunkbase.splunk.com/app/4153/

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎10-11-2021 08:39 PM

Hi @VijaySrrie 

Phantom SOAR works with indexes provided by this remote search add-on, the index names must all be prefixed with phantom* isn't it?

It's advisable to go with defaults what this add-on provides unless you know what specific features you are after. Technically you can take out all indexes and create separately but i would create all 14 indexes on indexers.

---

An upvote would be appreciated if this reply helps!

 

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎10-19-2021 07:36 PM

I am testing this in multicluster sandpit

1. HEC token is created in HF

2. 14 indexes are created in Indexer

3. Roles/users/Splunk app for phantom reporting app is created in Search Head

4. In Phantom end --> HF IP ,Users, HEC token is given

But Test connectivity is failing

vijaysri_0-1634697398723.png

 

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎10-19-2021 08:14 PM

@VijaySrrie  I would suggest to post a new question as this was already closed and topic is different from originally posted on this.

0 Karma
Reply
Solved! Jump to solution

VijaySrrie
Builder
‎10-11-2021 10:21 PM

We have roles -  [role_PhantomDelete] and [role_PhantomSearch]
Can we go ahead and create roles as per our splunk environment?

We have two users - phantomsearchuser and phantomdeleteuser (Can we go with different user ID's as per our user-id creation policy)

1. The index creation should go to masterapps 

2. Have created a new SearchHead app for both the add-ons (Phantom Remote search app  and Splunk App for Phantom reporting )

3. HEC token will go to deployment-apps

4. We have some props.conf and transforms.conf in both the add-ons (where should that go?)

Now, I am stuck with userID creation and role creation.

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎10-11-2021 10:45 PM

if you change users then you should update same phantom product that runs differently, there are dashboard splunk phantom supported apps provide rely on these indexes, you need to change at heaps of places.

I wouldn't do changes unless understand where to update them, it's too difficult when things won't work as this product is relatively new.

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎10-11-2021 08:39 PM

Hi @VijaySrrie 

Phantom SOAR works with indexes provided by this remote search add-on, the index names must all be prefixed with phantom* isn't it?

It's advisable to go with defaults what this add-on provides unless you know what specific features you are after. Technically you can take out all indexes and create separately but i would create all 14 indexes on indexers.

---

An upvote would be appreciated if this reply helps!

 

Tags (1)
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...