Re: splunk to soar

kn450

I am using sendtophantom in Splunk ES to send events to SOAR. The action shows success in the logs, but the events reach SOAR with a delay of about 8 minutes.

kn450

am using Splunk ES version 8 and the SOAR (Phantom) app version 4.3.26.
I use sendtophantom to forward events to SOAR. The action always shows success in the Splunk logs, but events reach SOAR after about 8 minutes.

The issue appeared suddenly; it was working fine before.

Here are some observations from the logs:

phantom_sendtophantom_modalert.log shows action_status="success" and sometimes long durations, e.g.:

duration="549648" ms ≈ 9 minutes
This roughly matches the 8-minute delay observed.
phantom_forward_modalert.log and phantom_retry.log confirm the app version is 4.3.26 and the KV Store has no pending items.

The delay seems to come from long processing time inside the modular action within Splunk, not from connectivity or network issues.

VatsalJagani

@kn450 - If all events are reaching meaning, there are no connectivity issues.

As the events are reaching after 8 minutes, which means it cannot also be a latency issue, as 8 minutes is too long for any default timeout settings.

So the only thing I could see is a "timestamp" (_time) of the event, which may differ from when the event arrives in Splunk. This usually refers to when the event occurs on the source system. Everything in Splunk uses this timestamp.

I hope this helps!!!

kn450

am using Splunk ES version 8 and the SOAR (Phantom) app version 4.3.26.
I use sendtophantom to forward events to SOAR. The action always shows success in the Splunk logs, but events reach SOAR after about 8 minutes.The issue appeared suddenly; it was working fine before.

Here are some observations from the logs:

phantom_sendtophantom_modalert.log shows action_status="success" and sometimes long durations, e.g.:

duration="549648" ms ≈ 9 minutes

This roughly matches the 8-minute delay observed.

phantom_forward_modalert.log and phantom_retry.log confirm the app version is 4.3.26 and the KV Store has no pending items.

The delay seems to come from long processing time inside the modular action within Splunk, not from connectivity or network issues.

livehybrid

Hi @kn450

Can you confirm the Splunk version and SOAR Export app version you are using please?

Did this start suddenly or has it been a problem for some time?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

kn450

am using Splunk ES version 8 and the SOAR (Phantom) app version 4.3.26.
I use sendtophantom to forward events to SOAR. The action always shows success in the Splunk logs, but events reach SOAR after about 8 minutes.The issue appeared suddenly; it was working fine before.

Here are some observations from the logs:

phantom_sendtophantom_modalert.log shows action_status="success" and sometimes long durations, e.g.:

duration="549648" ms ≈ 9 minutes

This roughly matches the 8-minute delay observed.

phantom_forward_modalert.log and phantom_retry.log confirm the app version is 4.3.26 and the KV Store has no pending items.

The delay seems to come from long processing time inside the modular action within Splunk, not from connectivity or network issues.

splunk to soar

installation

upgrade

using Splunk Enterprise

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

splunk to soar

installation

upgrade

using Splunk Enterprise

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...