Splunk Phantom

How do I perform field mapping between Splunk and Phantom when using Run playbook in Phantom ?

New Member


I am using the action Run playbook in Phantom. Splunk can send the alert, but without fields created on Splunk. I have created the same fields on Phantom but the mapping was not performed.

0 Karma

Splunk Employee
Splunk Employee

Using the Phantom App for Splunk would be recommended for performing field mappings in that way:

You can utilize either a Saved Search or Data Model to have events from Splunk Core/ES which meet the defined criteria in your SPL forwarded to the Phantom instance of your choice:

alt text

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!