Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunk to soar

kn450
Explorer
a week ago

 

I am using sendtophantom in Splunk ES to send events to SOAR. The action shows success in the logs, but the events reach SOAR with a delay of about 8 minutes.

Labels (3)
Tags (1)
0 Karma
Reply

kn450
Explorer
Tuesday

am using Splunk ES version  8   and the SOAR (Phantom) app version 4.3.26.
I use sendtophantom to forward events to SOAR. The action always shows success in the Splunk logs, but events reach SOAR after about 8 minutes.

The issue appeared suddenly; it was working fine before.

Here are some observations from the logs:

  • phantom_sendtophantom_modalert.log shows action_status="success" and sometimes long durations, e.g.:

     
    duration="549648" ms ≈ 9 minutes

    This roughly matches the 8-minute delay observed.

  • phantom_forward_modalert.log and phantom_retry.log confirm the app version is 4.3.26 and the KV Store has no pending items.


The delay seems to come from long processing time inside the modular action within Splunk, not from connectivity or network issues.

 

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
a week ago

@kn450 - If all events are reaching meaning, there are no connectivity issues.

As the events are reaching after 8 minutes, which means it cannot also be a latency issue, as 8 minutes is too long for any default timeout settings.

 

So the only thing I could see is a "timestamp" (_time) of the event, which may differ from when the event arrives in Splunk. This usually refers to when the event occurs on the source system. Everything in Splunk uses this timestamp.

 

I hope this helps!!!

0 Karma
Reply

kn450
Explorer
Tuesday

am using Splunk ES version  8   and the SOAR (Phantom) app version 4.3.26.
I use sendtophantom to forward events to SOAR. The action always shows success in the Splunk logs, but events reach SOAR after about 8 minutes.The issue appeared suddenly; it was working fine before.

Here are some observations from the logs:

phantom_sendtophantom_modalert.log shows action_status="success" and sometimes long durations, e.g.:

 
duration="549648" ms ≈ 9 minutes

This roughly matches the 8-minute delay observed.

phantom_forward_modalert.log and phantom_retry.log confirm the app version is 4.3.26 and the KV Store has no pending items.

The delay seems to come from long processing time inside the modular action within Splunk, not from connectivity or network issues.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
a week ago

Hi @kn450 

Can you confirm the Splunk version and SOAR Export app version you are using please?

Did this start suddenly or has it been a problem for some time?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

kn450
Explorer
Tuesday

am using Splunk ES version  8   and the SOAR (Phantom) app version 4.3.26.
I use sendtophantom to forward events to SOAR. The action always shows success in the Splunk logs, but events reach SOAR after about 8 minutes.The issue appeared suddenly; it was working fine before.

Here are some observations from the logs:

phantom_sendtophantom_modalert.log shows action_status="success" and sometimes long durations, e.g.:

 
duration="549648" ms ≈ 9 minutes

This roughly matches the 8-minute delay observed.

phantom_forward_modalert.log and phantom_retry.log confirm the app version is 4.3.26 and the KV Store has no pending items.

The delay seems to come from long processing time inside the modular action within Splunk, not from connectivity or network issues.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...