Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error phantom_forward:129 Splunk_home\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

chaixl
Explorer
‎12-09-2020 12:44 AM

My the Phantom app's phantom_forwarding.log generated such logs: phantom_forward:129 - C:\Program Files\Splunk\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

Describe my current situation:

I am able to send events to Phantom with a saved search using the Phantom add-on. However, to send events to Phantom, I have to manually press the "Send to Phantom" button, phantom can receive the event. But the Phantom add-on can't  automatically forward events to phantom,  error logs appear in the phantom_forwarding.log. How to solve the error in the phantom_forwarding.log?

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

ryansaunders
Explorer
‎02-04-2021 09:55 AM

I was having this same issue (except with Splunk running on Linux).  Version 4.0.35 of the Phantom App was released last week and added support for Splunk Enterprise 8.1.  Upgrading to the new version of the app resolved the problem for me.

https://splunkbase.splunk.com/app/3411/

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ryansaunders
Explorer
‎02-04-2021 09:55 AM

I was having this same issue (except with Splunk running on Linux).  Version 4.0.35 of the Phantom App was released last week and added support for Splunk Enterprise 8.1.  Upgrading to the new version of the app resolved the problem for me.

https://splunkbase.splunk.com/app/3411/

0 Karma
Reply
Solved! Jump to solution

chaixl
Explorer
‎02-04-2021 06:12 PM

Thanks all for your help,

When I upgrade version 4.0.35 of the Phantom App, the problem is solved.

Thanks a lot.

0 Karma
Reply
Solved! Jump to solution

sam_splunk
Splunk Employee
Splunk Employee
‎12-09-2020 07:28 AM

Could you provide more info of the set-up in splunk as well as the errors you're getting?

0 Karma
Reply
Solved! Jump to solution

chaixl
Explorer
‎12-09-2020 06:33 PM

I am currently using Splunk Enterprise 8.1.0.1  and Phantom version 4.9.39220. 

 The error I'm getting is the Phantom add-on for Splunk can't  automatically forward events to phantom, only by manually pressing the "Send to Phantom" button, phantom can receive one event. I checked phantom_forwarding.log, Found many errors in the log, as shown below:

2020-12-07 15:36:52,372 ERROR	phantom_forward:129 - C:\Program Files\Splunk\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

 I tested and found when a new event is generated for the saved search that has been forwarded in the phantom add-on configuration, there will be an error like the one above in the phantom_forwarding.log 

Here is my set-up in splunk:

In Splunk Web, I have successfully configured the Phantom Server in the App, and applied the Splunk Enterprise instance IP under the "allowed ips" in Phantom.

 

1607566505(1).png

 

1607566578(1).png

 

1607566685(1).png

 

1607567371(1).png

Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...