Solved: Re: Connectivity Issue between Splunk Phantom and ...

d4wc3k · ‎11-21-2019

Hello everyone

I need help with using Splunk App in Phantom.
I am trying perform searches for Splunk in Phantom, everything seems to be configured fine, final status is success.
The problem is that action in most cases didn't return any events.

F.G
I have following simple query:
index=firewall earliest=-1m latest=now() sourcetype="pan:threat"

In Splunk it returns data, but if when I wanted use Phantom to perform query it doesn't return any results.
There is exceptions if I will use query with '| rest ' command it will return information.

Should I use run query in other way ? Or maybe it's related to current configuration?

Thanks a lot for response in advance.

BR.
Dawid

WalshyB · ‎12-02-2019

Here are the permissions I've got for performing actions from Phantom to Splunk:

rest_properties_get
run_collect
run_mcollect
search

Hopefully this helps. We haven't had any issues with it.

View solution in original post

WalshyB · ‎12-02-2019

Here are the permissions I've got for performing actions from Phantom to Splunk:

rest_properties_get
run_collect
run_mcollect
search

Hopefully this helps. We haven't had any issues with it.

d4wc3k · ‎12-03-2019

@WalshyB :
Adding 'search' capability for used user in Splunk resolved problem 🙂
I forgot add this information here.

d4wc3k · ‎11-25-2019

The previous problem was resolved by giving username right permission to get data from indexes. 🙂
I have for now other problem, I am trying integrate other instance of Splunk with Phantom and in this case I receive following error during query execution:

Query invalid 'search index=*mail earliest=-1m latest=now() |stats count by internal_message_id'. Error string: 'HTTP 403 Forbidden -- insufficient permission to access this resource*

Did you maybe have similar issue with accessing data from Splunk ES in Phantom?

BR
Dawid

d4wc3k · ‎11-21-2019

@ansusabu thanks for your response.

I tried use stats command, but it still returns 0 events.

ansusabu · ‎11-21-2019

Check the json file that you are receiving after the action. And try expanding the time range

d4wc3k · ‎11-21-2019

@ansusabu
JSON file doesn't contain any data, please refer top its content:
[{"status": "success", "parameter": {"query": "index=firewall earliest=-1m latest=now() sourcetype=\"pan:threat\" | stats count by src_ip,action", "context": {"guid": "xxxx", "artifact_id": 0, "parent_action_run": []}}, "message": "Total events: 0", "data": [], "summary": {"total_events": 0}}]

ansusabu · ‎09-29-2020

Try using 'fields + *'

ansusabu · ‎11-21-2019

You can use 'stats' at the end of query to return the necessary fields you require.

Connectivity Issue between Splunk Phantom and Splunk Enterprise - runquery action doesn't return any data

configuration

troubleshooting

using Phantom

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation