Select Auto-generate and one or more Group fields on the next screen to create a container using the name of this forwarding event configuration and the CEF field name and value for each selected Group field.
For example, if you entered fwconfig in the Name field, the container is created with the name fwconfig. Select Auto-generate and do not select any Group fields on the next screen to create a container using the name of this forwarding event configuration.(Optional) From the drop-down list in the Container Name field, select a field whose value is used to generate the container name in Splunk Phantom.See Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server. Choose from the servers that you configured on the Phantom Server Configuration page. In the Select Destination field, choose the Splunk Phantom server where you want to export your data model.Within a data model there are often various datasets, so selecting an object specifies the specific dataset you want to use to send data to Splunk Phantom. From the drop-down list in the Object field, select an object.You can view the results of the data model search after completing the first page of the event forwarding configuration and clicking Next. When a data model is selected, the search runs in the background. From the drop-down list in the Data Model field, select the data model containing the data you want to send to Splunk Phantom.In the Name field, enter a name for this event forwarding configuration.Navigate to the Event Forwarding tab in the Splunk Phantom App for Splunk.To create a data model export in the Splunk Phantom App for Splunk, follow these steps: Make sure you have completed the steps in Steps to connect the Splunk platform with Splunk Phantom.See Manage data models in the Splunk Enterprise Knowledge Manager Manual. Check that your data model has read permissions enabled so that the Splunk Phantom App for Splunk can discover your data models.For instructions on setting up a data model in your Splunk platform instance, see Design data models in the Splunk Enterprise Knowledge Manager Manual. Set up a data model in your Splunk platform instance.To send data to Splunk Phantom or SOAR Cloud in the form of a data model export, follow these steps for guidance.īefore you create a data model export, perform the following tasks: When end user interaction is not requiredĬreate a data model export to send data to Splunk Phantom or SOAR Cloud.Use a saved search for the following use cases: To simplify complex datasets for end users.To make data common across multiple datasets and devices.To show hierarchy between your data sets.Use a data model for the following use cases: You can create data models or saved searches to send data from the Splunk platform to Splunk Phantom or SOAR Cloud.ĭifferences between data models and saved searchesĭata models and saved searches both let you organize data. Create and export data models and saved searches to send to Splunk Phantom or SOAR Cloud
0 kommentar(er)
