- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue: Phantom Add-on for Splunk – is not saving any changes done on Saved searches and below error is observed in logs internally.
Error observed in Internal logs : 2022-11-17 17:19:19,970 +0000 ERROR phantom_splunk:188 - Traceback (most recent call last): File "/opt/splunk/etc/apps/phantom/bin/phantom_splunk.py", line 182, in rest response, content = splunk.rest.simpleRequest(path, **args) File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 648, in simpleRequest raise splunk.AuthorizationFailed(extendedMessages=uri) splunk.AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/phantom/configs/conf-phantom?count=-1&output_mode=json
Observations :
- Splunk Prod to phantom integrations are intact and I did successfully push notable to Prod during troubleshooting.
- Splunk Cloud was recently updated to 9.0
- Splunk Enterprise 9.0 is compatible with current Phantom App version 4.1.73 installed.
I tested with highest Splunk permissions and still unable to save a forwarding search or edit it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It resolved by upgrading the app to the latest version ("Splunk App for SOAR Export").
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It resolved by upgrading the app to the latest version ("Splunk App for SOAR Export").