Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error phantom_forward:129 Splunk_home\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

chaixl
Explorer
‎12-09-2020 12:44 AM

My the Phantom app's phantom_forwarding.log generated such logs: phantom_forward:129 - C:\Program Files\Splunk\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

Describe my current situation:

I am able to send events to Phantom with a saved search using the Phantom add-on. However, to send events to Phantom, I have to manually press the "Send to Phantom" button, phantom can receive the event. But the Phantom add-on can't  automatically forward events to phantom,  error logs appear in the phantom_forwarding.log. How to solve the error in the phantom_forwarding.log?

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

ryansaunders
Explorer
‎02-04-2021 09:55 AM

I was having this same issue (except with Splunk running on Linux).  Version 4.0.35 of the Phantom App was released last week and added support for Splunk Enterprise 8.1.  Upgrading to the new version of the app resolved the problem for me.

https://splunkbase.splunk.com/app/3411/

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ryansaunders
Explorer
‎02-04-2021 09:55 AM

I was having this same issue (except with Splunk running on Linux).  Version 4.0.35 of the Phantom App was released last week and added support for Splunk Enterprise 8.1.  Upgrading to the new version of the app resolved the problem for me.

https://splunkbase.splunk.com/app/3411/

0 Karma
Reply
Solved! Jump to solution

chaixl
Explorer
‎02-04-2021 06:12 PM

Thanks all for your help,

When I upgrade version 4.0.35 of the Phantom App, the problem is solved.

Thanks a lot.

0 Karma
Reply
Solved! Jump to solution

sam_splunk
Splunk Employee
Splunk Employee
‎12-09-2020 07:28 AM

Could you provide more info of the set-up in splunk as well as the errors you're getting?

0 Karma
Reply
Solved! Jump to solution

chaixl
Explorer
‎12-09-2020 06:33 PM

I am currently using Splunk Enterprise 8.1.0.1  and Phantom version 4.9.39220. 

 The error I'm getting is the Phantom add-on for Splunk can't  automatically forward events to phantom, only by manually pressing the "Send to Phantom" button, phantom can receive one event. I checked phantom_forwarding.log, Found many errors in the log, as shown below:

2020-12-07 15:36:52,372 ERROR	phantom_forward:129 - C:\Program Files\Splunk\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

 I tested and found when a new event is generated for the saved search that has been forwarded in the phantom add-on configuration, there will be an error like the one above in the phantom_forwarding.log 

Here is my set-up in splunk:

In Splunk Web, I have successfully configured the Phantom Server in the App, and applied the Splunk Enterprise instance IP under the "allowed ips" in Phantom.

 

1607566505(1).png

 

1607566578(1).png

 

1607566685(1).png

 

1607567371(1).png

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...