Installation

While trying to configure a Phantom server on Splunk 7.0.0 it says "Update in progress" and will not progress

New Member

When I added the details during Phantom Server Configuration on Splunk, it stuck at "Update in progress..." and not configuring it. Please find the screenshot attached with this question. Please help as it is required on urgent basis to forward Splunk logs to Phantom.

Phantom version:- 3.0.251 and Splunk - 7.0.0
alt text
Thanks and Regards,
Vipin Bansal

Labels (1)
0 Karma

Explorer

ussina04 answer and plus I have solved this problem as follows step

On phantom server , Administraton > UserManagement > User > automation > Allowed IPs And configure ip my installed phantom app of splunk server

0 Karma

Explorer

Ok Now reached somewhere after following the steps:

Step 1: download the phantom APP and install it via file or any method suits you.
Step 2: open the following in splunk interface
Settings > Access controls > Roles > Admin > Capabilities
Step 3: move phantom_read and phantom_write from Available capabilities to Selected capabilities.
Step 4: go to SPLUNKHOME/etc/apps/phantom/local/phantom.conf
Step 5 : change the following parameter in phantom.conf file (only if you are not using certificates for the communication between the servers):
[verify_certs]
value = true (change to false)
Step 6: Now go to the Phantom APP and change the tab from "event forwarding " to "phantom server configuration" >> click on + button and paste the authentication json string in the box and click save

But now I am getting the following error :
Failed to communicate with Phantom server "https://xyz". Error : invalid token from "IP"

Might be this is caused since token is expired, still troubleshooting soon update the post.

New Member

Hi I Have been able to Configure Phantom Server.
However the Event forwarding buttons are inactive.

Can someone talk me through Configuring Forwarding from Splunk to Phantom

0 Karma

Engager

Different version of Splunk but i had the same issue, there is a KB about it, the thing i found annoying was there is no mentioned of additional permission mention in the docs (i did this in a dev enviroment so i was an full admin). But phantom support was fast to respond

https://my.phantom.us/kb/66/

"With versions of Splunk previous to 6.5.3, the Phantom App on Splunk server config or searches hang with the message "updating".

To resolve the issue, add the required Phantom capabilities to the Admin and whichever Role is in use by the Phantom App.
• In the Splunk UI, navigate to Settings > Access Controls > Roles.
• Select the Role name.
• In the Capabilities field, verify "admin_all_objects", "phantom_read", "phantom_write", and "list_storage_passwords" are all applied.
• Save the configuration change.
"

Explorer

verified In the Capabilities field, verify "admin_all_objects", "phantom_read", "phantom_write", and "list_storage_passwords" are all applied but still not working and stuck on the same page update in progress.

0 Karma

Communicator

This was helpful. Thank you.

0 Karma

SplunkTrust
SplunkTrust

If this was a reasonably correct answer, @varad_joshi, could you please click "Accept?" Thank you.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!