Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error phantom_forward:129 Splunk_home\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

chaixl
Explorer
‎12-09-2020 12:44 AM

My the Phantom app's phantom_forwarding.log generated such logs: phantom_forward:129 - C:\Program Files\Splunk\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

Describe my current situation:

I am able to send events to Phantom with a saved search using the Phantom add-on. However, to send events to Phantom, I have to manually press the "Send to Phantom" button, phantom can receive the event. But the Phantom add-on can't  automatically forward events to phantom,  error logs appear in the phantom_forwarding.log. How to solve the error in the phantom_forwarding.log?

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

ryansaunders
Explorer
‎02-04-2021 09:55 AM

I was having this same issue (except with Splunk running on Linux).  Version 4.0.35 of the Phantom App was released last week and added support for Splunk Enterprise 8.1.  Upgrading to the new version of the app resolved the problem for me.

https://splunkbase.splunk.com/app/3411/

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ryansaunders
Explorer
‎02-04-2021 09:55 AM

I was having this same issue (except with Splunk running on Linux).  Version 4.0.35 of the Phantom App was released last week and added support for Splunk Enterprise 8.1.  Upgrading to the new version of the app resolved the problem for me.

https://splunkbase.splunk.com/app/3411/

0 Karma
Reply
Solved! Jump to solution

chaixl
Explorer
‎02-04-2021 06:12 PM

Thanks all for your help,

When I upgrade version 4.0.35 of the Phantom App, the problem is solved.

Thanks a lot.

0 Karma
Reply
Solved! Jump to solution

sam_splunk
Splunk Employee
Splunk Employee
‎12-09-2020 07:28 AM

Could you provide more info of the set-up in splunk as well as the errors you're getting?

0 Karma
Reply
Solved! Jump to solution

chaixl
Explorer
‎12-09-2020 06:33 PM

I am currently using Splunk Enterprise 8.1.0.1  and Phantom version 4.9.39220. 

 The error I'm getting is the Phantom add-on for Splunk can't  automatically forward events to phantom, only by manually pressing the "Send to Phantom" button, phantom can receive one event. I checked phantom_forwarding.log, Found many errors in the log, as shown below:

2020-12-07 15:36:52,372 ERROR	phantom_forward:129 - C:\Program Files\Splunk\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

 I tested and found when a new event is generated for the saved search that has been forwarded in the phantom add-on configuration, there will be an error like the one above in the phantom_forwarding.log 

Here is my set-up in splunk:

In Splunk Web, I have successfully configured the Phantom Server in the App, and applied the Splunk Enterprise instance IP under the "allowed ips" in Phantom.

 

1607566505(1).png

 

1607566578(1).png

 

1607566685(1).png

 

1607567371(1).png

Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...