Related Answers
Download topic as PDF
Configure the service with Splunk App for SOAR
To configure remote search using Splunk App for SOAR, you must configure the app on your Splunk search heads or search head clusters as well as on your indexers.
Obtain a Splunk Enterprise license to use the Splunk SOAR Remote Search app
You need a Splunk Enterprise license to use external Splunk Enterprise with Splunk SOAR. If you don't already have a Splunk Enterprise license, work with your delivery team to purchase one.
Add required indexes to your Splunk server
To configure remote search, add the required Splunk SOAR indexes to your Splunk server:
- Go to the Configurations tab.
- Set up remote search on a standalone or distributed instance of Splunk Cloud Platform or Enterprise.
- In the Advanced Options section, from the Create indexes (REQUIRED for SOAR Remote Search and SOAR System Logs) dropdown menu, select the Create Remote Search Indexes option.
Splunk Cloud Platform only: Index creation on Splunk Cloud Platform can take several minutes. Select List Splunk App for SOAR Indexes to watch the index creation. Be sure all indexes are created before continuing.
- Reindex your data to bring in data from Splunk SOAR into Splunk Cloud Platform or Enterprise.
- View any Splunk App for SOAR dashboard to make sure data is populating.
If you want past data to appear in Splunk App for SOAR dashboards, you must reindex your Splunk SOAR data. By default, only new data appears.
Configure the app
Reference the sections here to determine the configuration your instance needs in order for you to use Splunk App for SOAR.
Where to configure the app in a distributed deployment
Use the table to check the compatibility of the app with Splunk Enterprise distributed deployment features.
| Distributed deployment feature | Supported | Comments |
|---|---|---|
| Search Head Clusters | Yes | Use the search head cluster deployer to distribute apps across search head cluster members. See Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual. |
| Indexer Clusters | Yes | The app contains indexes or index-time transformations. |
| Deployment Server | No | The app does not contain inputs for forwarder data collection. |
After you've verified compatibility, use the table to determine where to configure the app in a Splunk Enterprise distributed deployment.
| Splunk instance type | Can the app be configured here? | Comments |
|---|---|---|
| Search Heads | Yes | Configure this app on the search head. |
| Indexers | Yes | The app contains indexes or index-time transformations. |
| Forwarders | No | The app does not contain inputs for forwarder data collection. |
Configure or upgrade the app using Splunk Web
- Log in to the Splunk Enterprise search head.
- On the Applications menu, scroll to the bottom and select Find More Apps.
- On the Browse more apps page, locate the app in the list, or type the name in the search box.
- Provide your splunk.com credentials.
- Accept the license terms.
- Select Upgrade app if you want to overwrite the existing configuration (optional).
- Select Login and Install.
- Select Done.
Configure or upgrade the app from a downloaded file
- Log in to splunkbase.splunk.com.
- Download Splunk App for SOAR and save it to an accessible location.
- Log in to the Splunk Enterprise search head.
- On the Applications menu, select the Manage Apps (
) icon. - On the Apps page, select Install app from file.
- On the Upload app page, select the Choose file button to locate the app.
- Select Upgrade app to overwrite the existing configuration (optional).
- Select Upload.
- Select Done.
|
PREVIOUS Connect Splunk App for SOAR to Splunk SOAR |
NEXT Set up remote search on a standalone Splunk Enterprise instance |
This documentation applies to the following versions of Splunk® App for SOAR: 1.0.0, 1.0.38
Feedback submitted, thanks!