Splunk SOAR

Phantom Add-on for Splunk – is not saving any changes done on Saved searches (Event Forwarding)

dhirajkumar0501
Engager

Issue:  Phantom Add-on for Splunk – is not saving any changes done on Saved searches and below error is observed in logs internally.

Error observed in Internal logs :  2022-11-17 17:19:19,970 +0000 ERROR phantom_splunk:188 - Traceback (most recent call last): File "/opt/splunk/etc/apps/phantom/bin/phantom_splunk.py", line 182, in rest response, content = splunk.rest.simpleRequest(path, **args) File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 648, in simpleRequest raise splunk.AuthorizationFailed(extendedMessages=uri) splunk.AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/phantom/configs/conf-phantom?count=-1&output_mode=json

Observations :  

  1. Splunk Prod to phantom integrations are intact and I did successfully push notable to Prod during troubleshooting.
  2. Splunk Cloud was recently updated to 9.0
  3. Splunk Enterprise 9.0 is compatible with current Phantom App version 4.1.73 installed.

I tested with highest Splunk permissions and still unable to save a forwarding search or edit it.

0 Karma
1 Solution

dhirajkumar0501
Engager

It resolved by upgrading the app to the latest version ("Splunk App for SOAR Export"). 

View solution in original post

0 Karma

dhirajkumar0501
Engager

It resolved by upgrading the app to the latest version ("Splunk App for SOAR Export"). 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...