Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarding Data between Splunk ES and Phantom

rupalekar
Explorer
‎06-06-2019 07:07 PM

I am trying to send data from Splunk ES to Phantom

Version is 7.2.6

After downloading Phantom app from Splunk, within that App, in the forwarding option there are 2 selections:

Under event forwarding tab-->

New Data Model Export
OR
New Saved Search Export

When I select 1st option (New Data Model Export) , it doesn't let me go through unless I fill up "Select Object" section
This 'Select Object' is greyed out/has no drop down options

What is this Select Object knob and where do I create an Object so that it becomes selectable over here?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎06-06-2019 08:45 PM

There's documentation here that has pretty solid detail:
https://my.phantom.us/4.2/docs/admin/splunk

sign up for an account at phantom.us - it's free.

However, the TL;DR is, in order to export data via a data model search, you need datamodels defined in your Splunk instance/search head - those datamodels will then have "objects" in them which should "un-grey out" the "select object" field. If you want a quick test, install the Splunk Common Information Model (CIM) app on your Splunk instance. Restart splunk after install and see if the dropdown is still grey'd out.
https://splunkbase.splunk.com/app/1621/

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kchamplin_splun
Splunk Employee
Splunk Employee
‎06-06-2019 08:45 PM

There's documentation here that has pretty solid detail:
https://my.phantom.us/4.2/docs/admin/splunk

sign up for an account at phantom.us - it's free.

However, the TL;DR is, in order to export data via a data model search, you need datamodels defined in your Splunk instance/search head - those datamodels will then have "objects" in them which should "un-grey out" the "select object" field. If you want a quick test, install the Splunk Common Information Model (CIM) app on your Splunk instance. Restart splunk after install and see if the dropdown is still grey'd out.
https://splunkbase.splunk.com/app/1621/

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...