Solved: Connectivity Issue between Splunk Phantom and Splu...

d4wc3k · ‎11-21-2019

Hello everyone

I need help with using Splunk App in Phantom.
I am trying perform searches for Splunk in Phantom, everything seems to be configured fine, final status is success.
The problem is that action in most cases didn't return any events.

F.G
I have following simple query:
index=firewall earliest=-1m latest=now() sourcetype="pan:threat"

In Splunk it returns data, but if when I wanted use Phantom to perform query it doesn't return any results.
There is exceptions if I will use query with '| rest ' command it will return information.

Should I use run query in other way ? Or maybe it's related to current configuration?

Thanks a lot for response in advance.

BR.
Dawid

WalshyB · ‎12-02-2019

Here are the permissions I've got for performing actions from Phantom to Splunk:

rest_properties_get
run_collect
run_mcollect
search

Hopefully this helps. We haven't had any issues with it.

View solution in original post

WalshyB · ‎12-02-2019

Here are the permissions I've got for performing actions from Phantom to Splunk:

rest_properties_get
run_collect
run_mcollect
search

Hopefully this helps. We haven't had any issues with it.

d4wc3k · ‎12-03-2019

@WalshyB :
Adding 'search' capability for used user in Splunk resolved problem 🙂
I forgot add this information here.

d4wc3k · ‎11-25-2019

The previous problem was resolved by giving username right permission to get data from indexes. 🙂
I have for now other problem, I am trying integrate other instance of Splunk with Phantom and in this case I receive following error during query execution:

Query invalid 'search index=*mail earliest=-1m latest=now() |stats count by internal_message_id'. Error string: 'HTTP 403 Forbidden -- insufficient permission to access this resource*

Did you maybe have similar issue with accessing data from Splunk ES in Phantom?

BR
Dawid

d4wc3k · ‎11-21-2019

@ansusabu thanks for your response.

I tried use stats command, but it still returns 0 events.

ansusabu · ‎11-21-2019

Check the json file that you are receiving after the action. And try expanding the time range

d4wc3k · ‎11-21-2019

@ansusabu
JSON file doesn't contain any data, please refer top its content:
[{"status": "success", "parameter": {"query": "index=firewall earliest=-1m latest=now() sourcetype=\"pan:threat\" | stats count by src_ip,action", "context": {"guid": "xxxx", "artifact_id": 0, "parent_action_run": []}}, "message": "Total events: 0", "data": [], "summary": {"total_events": 0}}]

ansusabu · ‎09-29-2020

Try using 'fields + *'

ansusabu · ‎11-21-2019

You can use 'stats' at the end of query to return the necessary fields you require.

Connectivity Issue between Splunk Phantom and Splunk Enterprise - runquery action doesn't return any data

configuration

troubleshooting

using Phantom

Changes to Splunk Instructor-Led Training Completion Criteria

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3