Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Error adding External Splunk Enterprise Instance to SOAR

JAvnaim
Explorer
‎05-14-2023 10:35 PM

Hello,

I am attempting to add an External Splunk Enterprise Instance to SOAR and receive the following error when I click "Test connection":

 

ss1.png

 I am running Splunk Enterprise On-Prem v8.2.9, Splunk App for SOAR 1.0.41, and SOAR (Unprivileged, On-prem) v6.0.0.114895. What's interesting is I can see the events be created in Splunk Enterprise in the phantom_action_run index:

ss2.png

 Does anyone happen to know what the (not very descriptive) error "status" means? Whats also interesting is none of my hosts are named "Splunk", so wondering where the error is pulling that hostname from?

 

Thanks ahead of time for your help!

 

~J

 

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

JAvnaim
Explorer
‎05-15-2023 06:26 AM

Thanks @phanTom  for the quick reply!

 

Your response made perfect sense to me; however I have validated:

  • I was able to log into Splunk Enterprise as phantomdelete
  • As phantomdelete, I was able to "delete" events (using "| delete" in a search) - is there another way I should be testing to delete events?
  • Validate the events are no longer shown in the search
  • Logged back into SOAR and after pressing "Test Connection", the same error as noted above is shown.

 

Thinking there was something wrong with the phantomdelete user, I removed the account from Splunk Enterprise and recreated it (using a different name). Oddly enough, after recreating it, and testing it again in SOAR, I am greeted with "Test Successful"! So weird, but now my SOAR and Splunk Enterprise appear connected.

 

Thanks for your help!

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎05-15-2023 12:58 AM

@JAvnaim this error usually relates to the phantomdelete user you need to create, not having the correct permissions OR the "must reset password on 1st login" is still ticked on the account. 

Test you can log into the account using the same password you put in the config and also check it can delete events. 

If you don't want the delete capability you can remove from the phantomdelete user once this has been setup and linked. 

 

-- Hope this helps! If so please mark as the solution to future viewers! Happy SOARing! --

Reply
Solved! Jump to solution
Solution

JAvnaim
Explorer
‎05-15-2023 06:26 AM

Thanks @phanTom  for the quick reply!

 

Your response made perfect sense to me; however I have validated:

  • I was able to log into Splunk Enterprise as phantomdelete
  • As phantomdelete, I was able to "delete" events (using "| delete" in a search) - is there another way I should be testing to delete events?
  • Validate the events are no longer shown in the search
  • Logged back into SOAR and after pressing "Test Connection", the same error as noted above is shown.

 

Thinking there was something wrong with the phantomdelete user, I removed the account from Splunk Enterprise and recreated it (using a different name). Oddly enough, after recreating it, and testing it again in SOAR, I am greeted with "Test Successful"! So weird, but now my SOAR and Splunk Enterprise appear connected.

 

Thanks for your help!

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...