Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarding Data between Splunk ES and Phantom

rupalekar
Explorer
‎06-06-2019 07:07 PM

I am trying to send data from Splunk ES to Phantom

Version is 7.2.6

After downloading Phantom app from Splunk, within that App, in the forwarding option there are 2 selections:

Under event forwarding tab-->

New Data Model Export
OR
New Saved Search Export

When I select 1st option (New Data Model Export) , it doesn't let me go through unless I fill up "Select Object" section
This 'Select Object' is greyed out/has no drop down options

What is this Select Object knob and where do I create an Object so that it becomes selectable over here?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎06-06-2019 08:45 PM

There's documentation here that has pretty solid detail:
https://my.phantom.us/4.2/docs/admin/splunk

sign up for an account at phantom.us - it's free.

However, the TL;DR is, in order to export data via a data model search, you need datamodels defined in your Splunk instance/search head - those datamodels will then have "objects" in them which should "un-grey out" the "select object" field. If you want a quick test, install the Splunk Common Information Model (CIM) app on your Splunk instance. Restart splunk after install and see if the dropdown is still grey'd out.
https://splunkbase.splunk.com/app/1621/

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎06-06-2019 08:45 PM

There's documentation here that has pretty solid detail:
https://my.phantom.us/4.2/docs/admin/splunk

sign up for an account at phantom.us - it's free.

However, the TL;DR is, in order to export data via a data model search, you need datamodels defined in your Splunk instance/search head - those datamodels will then have "objects" in them which should "un-grey out" the "select object" field. If you want a quick test, install the Splunk Common Information Model (CIM) app on your Splunk instance. Restart splunk after install and see if the dropdown is still grey'd out.
https://splunkbase.splunk.com/app/1621/

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...