Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SubSearch Capability of Phantom App

TWiseOne
Path Finder
‎11-02-2018 07:16 AM

I have a correlation search that uses 2 sub-searches using the inputlookup & NOT commands for whitelisted devices/IPs.

When I configure the Phantom App Saved Search Export it finds no results.

However if I expand the whole search (CMD+SHIFT+E) it returns results fine.

Are there any limitations to the sub-search capability of the app? If not is there something I am missing in the configuration of the correlation search or Phantom Forwarding config?

Reply

cblumer_splunk
Splunk Employee
Splunk Employee
‎08-28-2019 04:50 PM

That issue is typically caused by the permissions defined on the Saved Search in question:

Permissions
When the saved search is first created, the configuration is considered private and stored in the user’s directory. For it to be saved in the correct spot and made available to the Phantom app for Splunk for scheduling, the permissions of the saved search need to be modified as follows:

  1. While in context of the saved search app, go to the Settings menu and select ‘Searches, reports, and alerts’.

  2. Select the saved search that you want to make available to the Phantom app for Splunk, for scheduling.

  3. Under Actions, select ‘Edit’ and ‘Edit Permissions’

  4. Change ‘Display For’ to All apps, ‘Run As’ to User, set read/write permissions as appropriate, and click save.

Upon clicking Save, you’ll be dropped back to the ‘Searches, Reports, and Alerts’ screen, where you should now see the Sharing column show ‘Global’ for your search. It will now be available to other apps.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...