I am using Splunk Enterprise and wish to automatically forward events to Phantom. I am able to send events to Phantom with a saved search using the Phantom add-on. However, to send events to Phantom, I have to manually press the "Send to Phantom" button. Is there a good method to automate this?
The Phantom add-on has an alert action to create an event in Phantom, but the add-on's README says this functionality is only enabled for Splunk Enterprise Security.
The alert actions 'Sent to Phantom' and 'Run Playbook in Phantom' are for Splunk ES. I am only using Splunk Enterprise.
From the Phantom docs:
"If you are running the Phantom App on Splunk on a Splunk ES server, then additional options are available to you. You can use "Send to Phantom" and "Run Playbook in Phantom" as alert actions, and you can send notable events to Phantom as an Adaptive Response Action.
Note: These alert actions will show up in the interface on regular Splunk (non-ES), but they ONLY work on Splunk ES"
Then you can save the query in Splunk and use the Phantom app in Splunk. Goto 'export new saved search' , then select the query you saved.
If you are not receiving the fields you are expecting in Phantom, then use, stats command or field command in the query to extract the required fields.
I am currently using the Phantom app and a saved search. The data is going to Phantom, but I have to press the "Send to Phantom" button to do it.
The problem is not getting Splunk data to Phantom. It is determining if there is a way to do it automatically such that new events going to Splunk get sent to Phantom without requiring the manual button press.
The saved search events should be forwarded to Phantom automatically on its own when using the Event Forwarding Exports in the Phantom App for Splunk.
Are you setting the Schedule value appropriately?
Are the permissions on the saved search configured as needed for the Phantom app to utilize it?
Which version of Splunk Enterprise and the Phantom App for Splunk are you running?
The Phantom app writes useful logs to splunk_home/var/log/splunk/phantomconfiguration.log and *splunkhome*/var/log/splunk/phantom_forwarding.log
The events started forwarding automatically after I specified the event forwarding saved search schedule to be run every minute, instead of real time. I am using Splunk Enterprise 8.0.2 and Phantom 4.8.