Splunk SOAR

Error phantom_forward:129 Splunk_home\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

chaixl
Explorer

My the Phantom app's phantom_forwarding.log generated such logs: phantom_forward:129 - C:\Program Files\Splunk\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

Describe my current situation:

I am able to send events to Phantom with a saved search using the Phantom add-on. However, to send events to Phantom, I have to manually press the "Send to Phantom" button, phantom can receive the event. But the Phantom add-on can't  automatically forward events to phantom,  error logs appear in the phantom_forwarding.log. How to solve the error in the phantom_forwarding.log?

Labels (2)
1 Solution

ryansaunders
Explorer

I was having this same issue (except with Splunk running on Linux).  Version 4.0.35 of the Phantom App was released last week and added support for Splunk Enterprise 8.1.  Upgrading to the new version of the app resolved the problem for me.

https://splunkbase.splunk.com/app/3411/

View solution in original post

0 Karma

ryansaunders
Explorer

I was having this same issue (except with Splunk running on Linux).  Version 4.0.35 of the Phantom App was released last week and added support for Splunk Enterprise 8.1.  Upgrading to the new version of the app resolved the problem for me.

https://splunkbase.splunk.com/app/3411/

0 Karma

chaixl
Explorer

Thanks all for your help,

When I upgrade version 4.0.35 of the Phantom App, the problem is solved.

Thanks a lot.

0 Karma

sam_splunk
Splunk Employee
Splunk Employee

Could you provide more info of the set-up in splunk as well as the errors you're getting?

0 Karma

chaixl
Explorer

I am currently using Splunk Enterprise 8.1.0.1  and Phantom version 4.9.39220. 

 The error I'm getting is the Phantom add-on for Splunk can't  automatically forward events to phantom, only by manually pressing the "Send to Phantom" button, phantom can receive one event. I checked phantom_forwarding.log, Found many errors in the log, as shown below:

2020-12-07 15:36:52,372 ERROR	phantom_forward:129 - C:\Program Files\Splunk\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token.

 I tested and found when a new event is generated for the saved search that has been forwarded in the phantom add-on configuration, there will be an error like the one above in the phantom_forwarding.log 

Here is my set-up in splunk:

In Splunk Web, I have successfully configured the Phantom Server in the App, and applied the Splunk Enterprise instance IP under the "allowed ips" in Phantom.

 

1607566505(1).png

 

1607566578(1).png

 

1607566685(1).png

 

1607567371(1).png

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...