I installed the Phantom App for Splunk & CIM app.
And connectivity testing between Splunk and Phantom is passed.
I created alerts on Splunk to send events to Phantom, but I didn't see any records in Phantom's events.
From the index CIM_MODACTIONS, I can see an error log: “Unable to create container: cannot execute INSERT in a read-only transaction”
So is that what's causing the problem? But I don't understand what permissions I'm missing.