Splunk Phantom

How do I perform field mapping between Splunk and Phantom when using Run playbook in Phantom ?

New Member

Hello,

I am using the action Run playbook in Phantom. Splunk can send the alert, but without fields created on Splunk. I have created the same fields on Phantom but the mapping was not performed.

0 Karma

Splunk Employee
Splunk Employee

Using the Phantom App for Splunk would be recommended for performing field mappings in that way:
https://splunkbase.splunk.com/app/3411/

You can utilize either a Saved Search or Data Model to have events from Splunk Core/ES which meet the defined criteria in your SPL forwarded to the Phantom instance of your choice:

alt text

0 Karma