Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Share data from

When is deployed, the platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve in future releases.

How data is collected

uses Splunk Web Analytics (swa.js) to collect anonymous usage data. These analytics run in the background. Collecting data affects the web interface loading in a minimal way.

Share data from

When is deployed, the platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve in future releases. You can opt in or opt out of sharing telemetry data.

Enable telemetry by doing the following:

  1. From the main menu, select Administration.
  2. Expand the Product Settings drop-down list.
  3. Click Telemetry.
  4. Toggle the switch to the On position.
  5. Click Confirm.

Disable telemetry by doing the following:

  1. From the main menu, select Administration.
  2. Expand the Product Settings drop-down list.
  3. Click Telemetry.
  4. Toggle the switch to the Off position.
  5. Click Confirm.

How data is collected

uses Splunk Web Analytics (swa.js) to collect anonymous usage data. These analytics run in the background regardless of whether you opt in to sending usage data to Splunk. Collecting data affects the UI loading in a minimal way. Performance numbers are currently being gathered to compare with a baseline system with no telemetry.

What data is collected

Data is collected to measure metrics of the product, assess performance for optimizations, evaluate engagement for roadmaps, and discover client-side errors to inform UI fixes. The metrics do not contain any user-provided values such as username, email, or any URL parameters that are user or customer identifiable. collects the following basic usage information:

Name Description Example
app.session.session_start Reports the browser and OS, along with their versions.
data: {
    app: UNKNOWN_APP
    browser: Chrome
    browserVersion: 78.0.3904.97
    device: MacIntel
    locale: en-US
    os: Mac OS X
    osVersion: 10.
    page: UNKNOWN_PAGE
    splunkVersion: not available
}
eventID: d9ca862c-d48d-83a1-d1bb-f0f25f4b5af8
experienceID: 6c2c534b-e750-e1a0-95fd-fcada1a50be0
optInRequired: 3
timestamp: 1574213029
visibility: anonymous
app.session.phantom.pageview Reports which pages are visited by users.
data: {
   app: phantom
   page: admin.company_settings.info
   phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
   phantomUserID: 5d900c28b8d1555745c09908ef386860
}
eventID: 0db11144-7c14-88f7-b3e9-3a999102bfc6
experienceID: 20d4d671-7d18-f74a-c72f-9811b5bee20d
optInRequired: 3
timestamp: 1574210581565
visibility: anonymous
app.session.phantom.error Reports uncaught errors of front-end Splunk Phantom scripts.
data: {
   app: phantom
   errorMsg: Uncaught ReferenceError: helloworld is not defined
   file: /inc/swa/swa_enabled.js
   page: admin.product_settings.telemetry
   position: 74:1
   phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
   phantomUserID: 5d900c28b8d1555745c09908ef386860
}
eventID: 94efce66-ab89-33ae-f894-1cceb8f68f78
experienceID: 239facf6-261d-dd96-be08-33870c7d3750
optInRequired: 3
timestamp: 1574294947704
visibility: anonymous
app.session.phantom.apiTime Reports roundtrip time consumption for each API request.
data: {
    app: phantom
    endpoint: /rest/ph_user/3/permissions
    method: get
    page: UNKNOWN_PAGE
    status: 200
    time: 150
    phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
    phantomUserID: 5d900c28b8d1555745c09908ef386860
}
eventID: 551e5c46-4f71-d92a-51ba-30cf97ae3a97
experienceID: 6c2c534b-e750-e1a0-95fd-fcada1a50be0
optInRequired: 3
timestamp: 1574213030362
visibility: anonymous
app.session.phantom.viewTime Reports time spent on a specific page. Only tracked for specific pages.
data: {
   app: phantom
   page: reports
   viewTime: 10223
   phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
   phantomUserID: 5d900c28b8d1555745c09908ef386860
}
eventID: 545fdcfb-ac0d-a11b-da6a-4b9da84b6c2a
experienceID: 85b49544-fb90-a2ef-1b3f-e09339f3abc1
optInRequired: 3
timestamp: 1573690198763
visibility: anonymous
app.session.phantom.license Reports license status, limits, and usage information. Sent once per session.
data: {
   app: phantom
   expirationDate: 1576800000000
   issueDate: 1575504000000
   limits: {
      actions: 50
      events: 75
      tenants: 250
      users: 5
   }
   page: UNKNOWN_PAGE
   type: standard
   usage: {
      recentAppRunCount: 5
      recentDebugRunCount: 5
      recentPlaybookRunCount: 1
   }
   phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
   phantomUserID: 5d900c28b8d1555745c09908ef386860
}
eventID: 5854bede-18d9-5a88-d023-e698dab1afaf
experienceID: 31a418cc-1371-c58a-a0b8-dc87638b126f
optInRequired: 3
timestamp: 1575656115189
visibility: anonymous
app.session.phantom.systemSettings Reports the feature on/off settings and product version.
component: app.session.phantom.systemSettings
data: {
   app: phantom
   isClusteringEnabled: false
   isMultiTenantEnabled: false
   numOfClusterNodes: 0
   page: UNKNOWN_PAGE
   productVersion: 10900.0.5
   nodeGUID: dca36837-3e10-4cbd-bf14-b49097b84347
   searchConfig: {
     isElasticSearchEnabled: false
     searchLocation: local
     searchType: standalone
   }
   phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
   phantomUserID: 5d900c28b8d1555745c09908ef386860
}
eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9
experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830
optInRequired: 3
timestamp: 1576695256840
visibility: anonymous
app.session.phantom.vpe Reports:
  • VPE version (Classic or Modern)
  • The types of blocks in a playbook
  • The number of blocks in a playbook
  • Which hotkey shortcuts were used while editing a playbook
  • Specific SOAR features used in a playbook
data: {
   app: soar
   jsonSchemaVersion:"5.0.3"
   page: UNKNOWN_PAGE
   blocks: {
     totalCount: 14
     blockTypes: {
       action: 2
       playbook: 1
       code: 1
       utility: 1
       filter: 1
       decision: 1
       format: 6
       prompt: 1
     }
     customCodeBlockCount: 3
     customCodeBlockTypeCounts: {
       start: 0
       end: 1
       action: 2
       playbook: 0
       code: 0
       utility: 0
       filter: 0
       decision: 0
       format: 0
       prompt: 0
     }
     actions: ["geolocate ip", "whois domain"]
   }
   hotkeys: {
     totalCount: 14
     interactions: {
       addMiniMenu: 7
       addActionBlock: 6
       addPlaybookBlock: 0
       addCodeBlock: 0
       addUtilityBlock: 0
       addFilterBlock: 0
       addDecisionBlock: 0
       addFormatBlock: 1
       addPromptBlock: 0
       autoArrange: 1
       zoomToFit: 1
       zoomIn: 0
       zoomOut: 0
       savePlaybook: 1
       deleteNode: 0
       toggleEditor: 1
       toggleDebugger: 1
       toggleSettings: 1
       showShortcutModal: 1
     }
   }
   features: {
     customConditionLabel: 3
     customDatapaths: 2
     playbookInputs: {
       count: 0
       dataTypes: {
         "domain": 0
         "file id": 0
         "file name": 0
         "file path": 0
         "hash": 0
         "host name": 0
         "ip": 0
         "mac address": 0
         "port": 0
         "process name": 0
         "url": 0
         "user name": 0
       }
     }
     playbookOutputs: {
       count: 1
       dataTypes: {
         "domain": 1
         "file id": 0
         "file name": 0
         "file path": 0
         "hash": 0
         "host name": 0
         "ip": 0
         "mac address": 0
         "port": 0
         "process name": 0
         "url": 0
         "user name": 0
       }
       dedupeCount: 0
     }
   }
   playbookType: automation
   playbookName: 5d900c28b8d1555745c09908ef133337
   soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
   soarUserID: 5d900c28b8d1555745c09908ef386860
}
deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9
experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830
optInRequired: 3
timestamp: 1576695256840
visibility: anonymous
app.session.phantom.vpeTime Reports the time in milliseconds it took for the VPE to load in the browser.
data: {
   app: soar
   pageLoadTime: 10298
}
deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9
experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830
optInRequired: 3
timestamp: 1576695256840
visibility: anonymous
Last modified on 22 September, 2021
PREVIOUS
Add and configure apps and assets to provide actions in
  NEXT
Add or remove a cluster node from Splunk SOAR (On-premises)

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters