Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure global field mappings

Use global field mappings when you have data mappings that you want to apply for all your data model and saved search exports. Global field mappings provide consistency when sending events from Splunk CIM (Common Information Model), used in Splunk Cloud Platform and Splunk Enterprise into CEF (Common Event Format), used in Splunk SOAR. Global field mappings can also save you time when configuring your data model or saved search exports.

Global field mappings are useful, for example, when running actions in Splunk Enterprise Security (ES) notable events, specifically the Send to SOAR or Run Playbook in SOAR actions. If you know that the Splunk Enterprise Security Search Field of app_name corresponds to the CEF Field appName in Splunk SOAR, create that global field mapping. Whenever one of the actions mentioned above runs, it will automatically use the global field mapping you created.

Updating CIM to CEF mappings when accessing the global field mappings for the first time

The first time you access the Global Field Mapping page, the default CIM-to-CEF mappings defined in Splunk SOAR are displayed. Configure and save the desired mappings to use them in your saved searches and data models. The default CIM-to-CEF mappings are not displayed again on subsequent visits to the Global Field Mapping page.

Create global field mappings

Create global field mappings on the Global Field Mapping page. Use only letters, numbers, and underscores. To create a global field mapping, follow these steps:

  1. On the Global Field Mapping page, select Add Mapping.
  2. In the Search Field, select an existing Splunk CIM value or a Custom (non-CEF) field. Enter text into the filter to find specific values more quickly.
    Fields that already have a defined global field mapping are dimmed and cannot be selected.
  3. In the CEF Field, select the target CEF field to map to in Splunk SOAR. Enter text into the filter to find specific values more quickly.
  4. In the Contains field, specify a filter for the type of contents included in the fields you just specified. For example, select ip in the Contains field so only source fields containing an IP address are sent to Splunk SOAR.

Make sure that your Search Field values are unique. If you map a single Search Field to multiple CEF fields, the results can be unpredictable.


For information on data models and saved searches, see Create and export data models and saved searches to send to Splunk SOAR.

Forward unmodified data to Splunk SOAR

To send the raw, unmodified data to Splunk SOAR, delete the relevant global field mapping.

To delete a global field mapping, follow these steps:

  1. In your Splunk platform instance, access Splunk App for SOAR Export.
  2. Select Global Field Mappings.
  3. For the field mapping you want to delete, in the Action column, select Delete.
  4. Click Delete in the dialog box to confirm that you want to delete the mapping.
Last modified on 31 May, 2023
PREVIOUS
Synchronize workbooks across multiple Splunk SOAR servers 		  NEXT
Configure how Splunk SOAR handles multivalue fields in Splunk ES notable events

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.2.3, 4.3.2

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters