Issue:  Phantom Add-on for Splunk – is not saving any changes done on Saved searches and below error is observed in logs internally.

Error observed in Internal logs :  2022-11-17 17:19:19,970 +0000 ERROR phantom_splunk:188 - Traceback (most recent call last): File "/opt/splunk/etc/apps/phantom/bin/phantom_splunk.py", line 182, in rest response, content = splunk.rest.simpleRequest(path, **args) File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 648, in simpleRequest raise splunk.AuthorizationFailed(extendedMessages=uri) splunk.AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/phantom/configs/conf-phantom?count=-1&output_mode=json

Observations :  

1. Splunk Prod to phantom integrations are intact and I did successfully push notable to Prod during troubleshooting.
2. Splunk Cloud was recently updated to 9.0
3. Splunk Enterprise 9.0 is compatible with current Phantom App version 4.1.73 installed.

I tested with highest Splunk permissions and still unable to save a forwarding search or edit it.