Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarding Data between Splunk ES and Phantom

rupalekar
Explorer
‎06-06-2019 07:07 PM

I am trying to send data from Splunk ES to Phantom

Version is 7.2.6

After downloading Phantom app from Splunk, within that App, in the forwarding option there are 2 selections:

Under event forwarding tab-->

New Data Model Export
OR
New Saved Search Export

When I select 1st option (New Data Model Export) , it doesn't let me go through unless I fill up "Select Object" section
This 'Select Object' is greyed out/has no drop down options

What is this Select Object knob and where do I create an Object so that it becomes selectable over here?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎06-06-2019 08:45 PM

There's documentation here that has pretty solid detail:
https://my.phantom.us/4.2/docs/admin/splunk

sign up for an account at phantom.us - it's free.

However, the TL;DR is, in order to export data via a data model search, you need datamodels defined in your Splunk instance/search head - those datamodels will then have "objects" in them which should "un-grey out" the "select object" field. If you want a quick test, install the Splunk Common Information Model (CIM) app on your Splunk instance. Restart splunk after install and see if the dropdown is still grey'd out.
https://splunkbase.splunk.com/app/1621/

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎06-06-2019 08:45 PM

There's documentation here that has pretty solid detail:
https://my.phantom.us/4.2/docs/admin/splunk

sign up for an account at phantom.us - it's free.

However, the TL;DR is, in order to export data via a data model search, you need datamodels defined in your Splunk instance/search head - those datamodels will then have "objects" in them which should "un-grey out" the "select object" field. If you want a quick test, install the Splunk Common Information Model (CIM) app on your Splunk instance. Restart splunk after install and see if the dropdown is still grey'd out.
https://splunkbase.splunk.com/app/1621/

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...