While trying to configure a Phantom server on Splunk 7.0.0 it says "Update in progress" and will not progress

New Member

When I added the details during Phantom Server Configuration on Splunk, it stuck at "Update in progress..." and not configuring it. Please find the screenshot attached with this question. Please help as it is required on urgent basis to forward Splunk logs to Phantom.

Phantom version:- 3.0.251 and Splunk - 7.0.0
alt text
Thanks and Regards,
Vipin Bansal

Labels (1)
0 Karma


ussina04 answer and plus I have solved this problem as follows step

On phantom server , Administraton > UserManagement > User > automation > Allowed IPs And configure ip my installed phantom app of splunk server

0 Karma


Ok Now reached somewhere after following the steps:

Step 1: download the phantom APP and install it via file or any method suits you.
Step 2: open the following in splunk interface
Settings > Access controls > Roles > Admin > Capabilities
Step 3: move phantom_read and phantom_write from Available capabilities to Selected capabilities.
Step 4: go to SPLUNKHOME/etc/apps/phantom/local/phantom.conf
Step 5 : change the following parameter in phantom.conf file (only if you are not using certificates for the communication between the servers):
value = true (change to false)
Step 6: Now go to the Phantom APP and change the tab from "event forwarding " to "phantom server configuration" >> click on + button and paste the authentication json string in the box and click save

But now I am getting the following error :
Failed to communicate with Phantom server "https://xyz". Error : invalid token from "IP"

Might be this is caused since token is expired, still troubleshooting soon update the post.

New Member

Hi I Have been able to Configure Phantom Server.
However the Event forwarding buttons are inactive.

Can someone talk me through Configuring Forwarding from Splunk to Phantom

0 Karma


Different version of Splunk but i had the same issue, there is a KB about it, the thing i found annoying was there is no mentioned of additional permission mention in the docs (i did this in a dev enviroment so i was an full admin). But phantom support was fast to respond

"With versions of Splunk previous to 6.5.3, the Phantom App on Splunk server config or searches hang with the message "updating".

To resolve the issue, add the required Phantom capabilities to the Admin and whichever Role is in use by the Phantom App.
• In the Splunk UI, navigate to Settings > Access Controls > Roles.
• Select the Role name.
• In the Capabilities field, verify "admin_all_objects", "phantom_read", "phantom_write", and "list_storage_passwords" are all applied.
• Save the configuration change.


verified In the Capabilities field, verify "admin_all_objects", "phantom_read", "phantom_write", and "list_storage_passwords" are all applied but still not working and stuck on the same page update in progress.

0 Karma


This was helpful. Thank you.

0 Karma


If this was a reasonably correct answer, @varad_joshi, could you please click "Accept?" Thank you.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...