When I added the details during Phantom Server Configuration on Splunk, it stuck at "Update in progress..." and not configuring it. Please find the screenshot attached with this question. Please help as it is required on urgent basis to forward Splunk logs to Phantom.
Phantom version:- 3.0.251 and Splunk - 7.0.0
Thanks and Regards,
ussina04 answer and plus I have solved this problem as follows step
On phantom server , Administraton > UserManagement > User > automation > Allowed IPs And configure ip my installed phantom app of splunk server
Ok Now reached somewhere after following the steps:
Step 1: download the phantom APP and install it via file or any method suits you.
Step 2: open the following in splunk interface
Settings > Access controls > Roles > Admin > Capabilities
Step 3: move phantom_read and phantom_write from Available capabilities to Selected capabilities.
Step 4: go to SPLUNKHOME/etc/apps/phantom/local/phantom.conf
Step 5 : change the following parameter in phantom.conf file (only if you are not using certificates for the communication between the servers):
value = true (change to false)
Step 6: Now go to the Phantom APP and change the tab from "event forwarding " to "phantom server configuration" >> click on + button and paste the authentication json string in the box and click save
But now I am getting the following error :
Failed to communicate with Phantom server "https://xyz". Error : invalid token from "IP"
Might be this is caused since token is expired, still troubleshooting soon update the post.
Different version of Splunk but i had the same issue, there is a KB about it, the thing i found annoying was there is no mentioned of additional permission mention in the docs (i did this in a dev enviroment so i was an full admin). But phantom support was fast to respond
"With versions of Splunk previous to 6.5.3, the Phantom App on Splunk server config or searches hang with the message "updating".
To resolve the issue, add the required Phantom capabilities to the Admin and whichever Role is in use by the Phantom App.
• In the Splunk UI, navigate to Settings > Access Controls > Roles.
• Select the Role name.
• In the Capabilities field, verify "admin_all_objects", "phantom_read", "phantom_write", and "list_storage_passwords" are all applied.
• Save the configuration change.
verified In the Capabilities field, verify "admin_all_objects", "phantom_read", "phantom_write", and "list_storage_passwords" are all applied but still not working and stuck on the same page update in progress.