Splunk SOAR (f.k.a. Phantom)

Splunk connector version 2.14 in SOAR 6.0 Error

uditdasgupta
Loves-to-Learn Everything

I am trying to query a Splunk search head using the Splunk connector from SOAR. However, my playbook is giving an error in the action block with the below error:

Failed to connect to splunk server. HTTP Error 400: Bad Request (1235)

There are no issues of connectivity as I have tested the connectivity to our asset in the app and it has passed successfully.

Yet, my playbook is failing with the above error.

My playbook design consists of a format block that formats the simple SPL query as :

|makeresults|eval id="This is a test" |eval playbook="App upgrade splunk"|table _time id playbook

which is referenced in the action block that queries a Splunk Search Head using the Splunk app.

Any advise on the possible issue is much appreciated ?

Thanks in advance

 

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...