Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Phantom

borisk95
New Member
‎03-12-2019 03:44 PM

Using Splunk Phantomm app and trying to export saved data model filds that are INHERITED parsed and can be forwared
but EXTRACTED field can not be parsed and send to phantom. EX
"_time",host,source,sourcetype,"Source_Ip"
"2019-03-13T00:39:19.000+0200","192.168.0.1",Mikrotik,syslog,"128.201.66.155"

Source ip is parsed in datamodel but could not parse and send thru phantom app

Tags (3)
0 Karma
Reply

cblumer_splunk
Splunk Employee
Splunk Employee
‎08-28-2019 11:18 PM

Utilizing a Saved Search for the Phantom App for Splunk including a " | table _time, host, source, sourcetype, Source_IP" portion at the end of the SPL query should allow you to forward events including that field.

example:
notable search_name = “name of notable” | table orig_time, orig_source, src, dest

  • Event (Saved Search) Forwarding
  1. On the Event Forwarding screen, select ‘New Saved Search Export’. The following configuration dialog will display. Fill this out as follows:

alt text

  1. ## If you’ve formatted your Splunk search output with something like the ‘table’ command, you can easily display those fields by clicking the “Auto-Extract Fields” button. This will display them below and allow you to map them to their CEF counterparts. Mapping is important as it will give some fields contextual association with actions inside of Phantom. Note: Clicking on the “Auto-Extract Fields” button more than once will duplicate the mapped fields, check for duplicates before saving.
Preview file
345 KB
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...