Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Phantom Architecture Concern

YeswanthReddy
Engager
‎06-29-2021 09:07 PM

Hi All,

Good Day!!

This is an Splunk Phantom Architecture question, which we are in the intial stage of building the Splunk Phantom and considering C1E+ netwrok topology(snip attached) as we have external Splunk instance (both Indexer & Search head) but the Splunk is on Cloud (saas product)
1. My question is would it support for building the Splunk Phantom with out Splunk embedded instace(which would be part of Splunk Architecture)? as we have external Splunk instance which is on cloud.
2. What is the major functionality of Splunk embedded here in the Phantom Architechture?
3. Any barriers/ issues to build with Phantom infrastructure without Splunk embedded?
4. What is the version of Phantom would support to build without Splunk embedded.

Looking for response from your end, which will help us alot to have a cosnsistent environment.

Regards,
Yeswanth M.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎06-30-2021 04:45 AM

@YeswanthReddy The remote search app only contains the indexes and configuration for dealing with the data on a Splunk instance. It doesn't do any connections at all.  The data to feed the app comes from a Phantom instance with the External Splunk configured to send data via HEC to the indexing layer. The data can then be read by Phantom if connected to a Search Head via the same external Splunk configuration. 

It depends why you are doing it:

The remote search app is required if you want to be able to use the phantom data for reporting metrics as you can't get access to, or manipulate the data if you don't externalise the Splunk capability. 

In a cluster there are 2 choices:
* embedded splunk - Phantom instance with script run to make it the splunk component
* Your own Splunk 
    - This can be either a Splunk instance(s) managed locally (on-prem/AWS) or Splunk cloud as the capabilty is the same just how you connect to them is different. 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

YeswanthReddy
Engager
‎06-30-2021 04:33 AM

@phanTom 
Thanks alot for the heads up , Yeah we are thinking to go with HTTP Event Collector (HEC) methodology via Remote search app to achieve the Search capability but my concern is

1. Do we need still install the Splunk Embedded service even we use the remote search App ? to connect with external Splunk cloud instance. Since we already have an existing Infra build so long before

2. Which one is the best practice , Using the Remote search app or default Splunk embedded service?


Could you please help me to understand the above queries . 

Thanks alot in advance.

Regards,

Yeswanth M.

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎06-30-2021 04:45 AM

@YeswanthReddy The remote search app only contains the indexes and configuration for dealing with the data on a Splunk instance. It doesn't do any connections at all.  The data to feed the app comes from a Phantom instance with the External Splunk configured to send data via HEC to the indexing layer. The data can then be read by Phantom if connected to a Search Head via the same external Splunk configuration. 

It depends why you are doing it:

The remote search app is required if you want to be able to use the phantom data for reporting metrics as you can't get access to, or manipulate the data if you don't externalise the Splunk capability. 

In a cluster there are 2 choices:
* embedded splunk - Phantom instance with script run to make it the splunk component
* Your own Splunk 
    - This can be either a Splunk instance(s) managed locally (on-prem/AWS) or Splunk cloud as the capabilty is the same just how you connect to them is different. 

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎06-30-2021 01:25 AM

@YeswanthReddy 

1. As long as Phantom has somewhere to store and update the Splunk data then it can be made to work with any Splunk capability. It is a required capability in a cluster and very useful too. 

    - For Splunk Cloud you may have to use a HFW in the same location as your Phantom Cluster, acting as the Splunk indexing capability, that is configured to forward to your Cloud instance. This will use HEC to send data from Phantom to the HFW and then up to the Splunk Cloud instance, but you will also need the Phantom nodes to be able to connect direct to the Cloud instance for the Search capability.

2. The main functionality is to store platform data and Splunk feeds the top search bar in Phantom when you want to search for apps/assets/actions/containers/etc. 

3. You MUST have Splunk when building a Phantom Cluster

4. None

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...