I am currently using Splunk Enterprise 8.1.0.1 and Phantom version 4.9.39220. The error I'm getting is the Phantom add-on for Splunk can't automatically forward events to phantom, only by manually pressing the "Send to Phantom" button, phantom can receive one event. I checked phantom_forwarding.log, Found many errors in the log, as shown below: 2020-12-07 15:36:52,372 ERROR phantom_forward:129 - C:\Program Files\Splunk\etc\apps\phantom\bin\scripts\phantom_forward.py called without a session token. I tested and found when a new event is generated for the saved search that has been forwarded in the phantom add-on configuration, there will be an error like the one above in the phantom_forwarding.log Here is my set-up in splunk: In Splunk Web, I have successfully configured the Phantom Server in the App, and applied the Splunk Enterprise instance IP under the "allowed ips" in Phantom.
... View more