Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

Acrobat logo Download manual as PDF


The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Configure search in

In earlier releases of search was handled by an embedded version of Splunk Enterprise. Beginning with release 6.2.0, uses PostgreSQL full-text search, which has been modified to accept the * wildcard. For search syntax and examples, see Search within .

To improve the ability to get data into a Splunk Cloud Platform or Splunk Enterprise deployment, support was added for Universal Forwarders. For information about configuring forwarders, see Configure forwarders to send SOAR data to your Splunk deployment.

also supports using an Elasticsearch instance for indexing SOAR data.

This list summarizes the available options for configuring forwarding data to a Splunk Enterprise or Splunk Cloud Platform instance from .

  • Splunk Cloud Platform - by configuring a Universal Forwarder Credentials Package and Universal Forwarders
  • Splunk Enterprise - by configuring Universal forwarders
  • Elasticsearch - by configuring a forwarder

Configure to forward data to Splunk Cloud Platform

Integrating with Splunk Cloud Platform requires the following actions:

Configure to forward data to Splunk Enterprise

Integrating with Splunk Enterprise requires the following actions:

Configure to send data to an Elasticsearch instance

When you configure to use an external instance of Elasticsearch, a copy of all indexed and searchable data is sent to the Elasticsearch instance.

Verify the following requirements before configuring the external Elasticsearch instance:

  • If you are using SSL to secure your connection to the Elasticsearch instance, the SSL certificate is imported to the Splunk Phantom certificate store.
  • You know the host name and port for the Elasticsearch instance.
  • You know the username and password of an Elasticsearch user account, or the client certificate and client key.

Perform the following tasks to connect to an external Elasticsearch instance:

  1. From the main menu in , select Administration.
  2. Select Administration Settings.
  3. Select Forwarder Settings.
  4. Click the button labeled +Configure Elastic Search.
  5. On the Configure Elastic Search dialog, add the settings for your Elasticsearch instance:
    1. In the Host field, type the hostname and port for your Elasticsearch instance.
    2. In the Username field, type the username required to log in to your Elasticsearch instance.
    3. In the Password field, type the password required to log in to your Elasticsearch instance.
  6. Conditional: Select the Use SSL check box to enable SSL.
  7. Conditional: If your Elasticsearch instance is version 6 or higher, select the Use one index per section check box.
  8. Conditional: If you are using certificate-based authentication, select the Client Authentication check box.
    1. Type the name of the client certificate in the Client Certificate field. This certificate is often a file with the .pem extension.
    2. Type the name of the to client key in the Client Key field. This key is often a file with the .key extension.
  9. Data types for Elasticsearch are already configured for you.
  10. When you are finished, click the button labeled Save.

You can turn the forwarder for Elasticsearch on or off using the Enabled toggle switch at the bottom of the

If you want to use a client certificate to connect to your Elasticsearch instance, provide the paths on the Splunk SOAR instance's operating system to the public and private keys. The private key, often a file with the .pem extension, is the Client Certificate. The public key, often a file with the .key extension, is the Client Key. Both files must be added to the Splunk SOAR (On-premises) Certificate store. See Splunk SOAR (On-premises) certificate store overview for more information on the Certificate Store.

Reindex data to make newly added information searchable

You can reindex all of your data.

Reindexing will send all your SOAR data to your Splunk Enterprise or Splunk Cloud Platform deployment again, which can result in duplicated data. To prevent duplicates, make sure to delete existing objects from all forwarder groups before reindexing. See How indexing works in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Define a custom index per instance

This feature is deprecated.
Custom indexes for Splunk SOAR (On-premises) data is deprecated as of release 6.2.0. Existing custom indexes will remain, but no new custom indexes can be created.

Although this feature continues to function, it might be removed in a future version.

If you have multiple instances in your environment, index prefixes are applied to the indexes in the Splunk Cloud Platform or Splunk Enterprise created by the Splunk App for SOAR. For more information on indexes, see Set up remote search on a standalone Splunk Cloud Platform or Splunk Enterprise instance in the Install and Configure Splunk App for SOAR manual.

Use the custom prefix to create separate indexes for each instance, which provides data separation and the ability to correlate each index with the appropriate instance.

This screen image shows 3 Splunk SOAR instances writing to separate indexes on a single Splunk Enterprise Instance. Splunk SOAR instance 1 is writing to an index called prefix1_Phantom_*, Splunk SOAR instance 2 is writing to an index called prefix2_Phantom_*, and Splunk SOAR instance 3 is writing to an index called prefix3_phantom_*.

Define a custom prefix with a standalone external Splunk Cloud Platform or Splunk Enterprise deployment

This feature is deprecated.
Custom indexes for Splunk SOAR (On-premises) data is deprecated as of release 6.2.0. Existing custom indexes will remain, but no new custom indexes can be created.

Although this feature continues to function, it might be removed in a future version.

Perform the following tasks on each Splunk SOAR instance to create a custom prefix for each instance with a standalone external Splunk Cloud Platform or Splunk Enterprise deployment for search:

  1. Verify that your instance is connected to the Splunk Cloud Platform or Splunk Enterprise by setting up the search settings using a standalone external Splunk instance:
    1. Follow the instructions in Configure the service with Splunk App for SOAR in Install and Configure Splunk App for SOAR.
    2. Make sure to click Test Connection at the end of the procedure and verify that and the Splunk Cloud Platform or Splunk Enterprise are connected.
  2. Log in to the instance as the root user. In unprivileged environments, run the script as the specific user configured to run .
  3. On each instance, run the set_preference command: 
    phenv set_preference --splunk-index-prefix="<prefixstring>" --splunk-admin-username <splunkadminusername>

    For example, to set a custom prefix called prefix1 using admin as the admin user for the Splunk Cloud Platform or Splunk Enterprise: 

    phenv set_preference --splunk-index-prefix="prefix1" --splunk-admin-username admin

    Use an empty prefix string to remove a custom prefix. For example: 

    phenv set_preference --splunk-index-prefix="" --splunk-admin-username admin

    In Splunk SOAR clusters, the script updates the prefix for all nodes in the cluster.

  4. Users on the Splunk Cloud Platform or Splunk Enterprise inherit index permissions from their roles. After creating the new indexes, you can update roles to give all users in the role access to the new indexes, or create new users and new roles to give access to the new indexes. This example shows how to edit the phantomsearch and phantomdelete roles to grant users access to the new indexes.
    1. From Splunk Web, select Settings > Roles.
    2. Click the name of the role you want to edit, such as phantomsearch.
    3. Click the Indexes tab.
    4. Check the boxes next to the names of the new indexes.
    5. Click Save.
    6. Perform this procedure again to grant access to the new indexes for the phantomdelete role.
  5. If you need additional custom roles to manage only the new indexes this example shows how to create them.
    1. From Splunk Web, select Settings > Roles.
    2. Click New Role.
    3. Type a name for the role.
    4. On the Inheritance tab, select the existing role you want your new role to inherit from, such as phantomsearch.
    5. Click the Indexes tab.
    6. Check the boxes next to the names of the new indexes.
    7. Uncheck the boxes next to the names of the indexes the new role should not be able to access.
    8. Click Create.
    9. Click the name of the role you want to edit, such as phantomsearch.
    10. Click the Indexes tab.
    11. Uncheck the boxes next to the names of the new indexes. This will prevent items managed by the new role from being repeated in indexes by phantomsearch.
    12. Click Save.
    13. Perform this procedure again to create a new role with access to the new indexes for the phantomdelete role. Custom roles used for deletions must inherit permissions from the phantomdelete role.
  6. After the prefix is created, update the Splunk administration for the HEC token to grant access to the new indexes. See Set up the HTTP Event Collector on the standalone Splunk Cloud Platform or Splunk Enterprise instance in the Install and Configure Splunk App for SOAR manual for instructions.
  7. Perform this step if you are using a cluster. Run the following commands on each node in your cluster: 
    pkill --full add_to_searchindex
<PHANTOM_HOME>/bin/phsvc restart uwsgi
  8. Reindex all indexes to search for the data created while using the new prefixes. See Reindex data in the Install and Configure Splunk App for SOAR manual.

Define a custom prefix with a distributed external Splunk Cloud Platform or Splunk Enterprise deployment

This feature is deprecated.
Custom indexes for Splunk SOAR (On-premises) data is deprecated as of release 6.2.0. Existing custom indexes will remain, but no new custom indexes can be created.

Although this feature continues to function, it might be removed in a future version.

Perform the following tasks on each instance to create a custom prefix for each instance with a distributed external Splunk Cloud Platform or Splunk Enterprise deployment for search:

The custom prefix script is not supported for use with distributed deployments that are built in the Splunk Cloud Platform.

  1. Verify that your instance is connected to the Splunk Cloud Platform or Splunk Enterprise by setting up the search settings using a distributed external Splunk instance:
    1. Follow the instructions in Set up remote search on a distributed Splunk Cloud Platform or Enterprise instance in the Install and Configure Splunk App for SOAR manual.. The Splunk App for SOAR must be installed on all search heads in the cluster.
    2. Make sure to click Test Connection at the end of the procedure and verify that and the Splunk Cloud Platform or Splunk Enterprise are connected.
  2. Log in to the instance as the root user. In unprivileged environments, run the script as the specific user configured to run .
  3. On each instance, run the set_preference command: 
    phenv python set_preference --splunk-index-prefix="<prefixstring>" --splunk-admin-username <splunkadminusername>

    For example, to set a custom prefix called prefix1 using admin as the admin user for the Splunk Cloud Platform or Splunk Enterprise: 

    phenv python set_preference --splunk-index-prefix="prefix1" --splunk-admin-username admin

    Use an empty prefix string to remove a custom prefix. For example: 

    phenv python set_preference --splunk-index-prefix="" --splunk-admin-username admin

    In Splunk SOAR clusters, the script updates the prefix for all nodes in the cluster.

    Below is sample output from the command run in a unprivileged cluster with a distributed Splunk Enterprise deployment: 

    [phanru@phantom ~]$ phenv set_preference --splunk-index-prefix prefix1 --splunk-admin-username admin
Are you sure you wish to apply search index prefix prefix1 for this Phantom instance [yes/no]? yes
Proceeding ... index configuration stored: /home/phanru/phantomcyber/tmp/indexes.conf
Done! Next steps:
- indexes.conf must be updated via splunk cluster manager node.
- On Splunk Cloud Platform or Splunk Enterprise, edit permissions to allow the current or new HEC token to access new indexes.
- On Splunk Cloud Platform or Splunk Enterprise, edit permissions to allow the current or new search/delete users to access new indexes.
- If new HEC token or users are created, update the Phantom search settings.
Run `pkill --full add_to_searchindex` on each Phantom cluster node
Run `/home/phanru/phantomcyber/bin/phsvc restart uwsgi` on each Phantom cluster node
- Rerun Test Connection.
- All phantom search indexes must now be re-indexed.
    Note the location of the new indexes.conf file created by the script. You will need this information in the next step.
  4. Edit and save the contents of the new indexes.conf file that was created by the phenv set_preference --splunk-index-prefix command. In our example, we can use cat to view and copy the contents of the <PHANTOM_HOME>/tmp/indexes.conf file.
  5. In the manager node of the Splunk indexer cluster, append the contents of the new indexes.conf file to the local indexes.conf file on the manager node, such as /opt/splunk/etc/manager-apps/_cluster/local/indexes.conf.

    As of Splunk Enterprise version 9.0, "master-apps" has been updated to "manager-apps".

  6. Run the following commands to push the new indexes.conf to the other indexers in the cluster and verify: 
    /opt/splunk/bin/splunk apply cluster-bundle --answer-yes
/opt/splunk/bin/splunk show cluster-bundle-status
  7. Users on the Splunk Cloud Platform or Splunk Enterprise inherit index permissions from their roles. After creating the new indexes, you can update roles to give all users in the role access to the new indexes, or create new users and new roles to give access to the new indexes. This example shows how to edit the phantomsearch and phantomdelete roles to grant users access to the new indexes.
    1. From Splunk Web, select Settings > Roles.
    2. Click the name of the role you want to edit, such as phantomsearch.
    3. Click the Indexes tab.
    4. Check the boxes next to the names of the new indexes.
    5. Click Save.
    6. Perform this procedure again to grant access to the new indexes for the phantomdelete role.
  8. If you need additional custom roles to manage only the new indexes this example shows how to create them.
    1. From Splunk Web, select Settings > Roles.
    2. Click New Role.
    3. Type a name for the role.
    4. On the Inheritance tab, select the existing role you want your new role to inherit from, such as phantomsearch.
    5. Click the Indexes tab.
    6. Check the boxes next to the names of the new indexes.
    7. Uncheck the boxes next to the names of the indexes the new role should not be able to access.
    8. Click Create.
    9. Click the name of the role you want to edit, such as phantomsearch.
    10. Click the Indexes tab.
    11. Uncheck the boxes next to the names of the new indexes. This will prevent items managed by the new role from being repeated in indexes by phantomsearch.
    12. Click Save.
    13. Perform this procedure again to create a new role with access to the new indexes for the phantomdelete role. Custom roles used for deletions must inherit permissions from the phantomdelete role.
  9. After the prefix is created, update the Splunk administration for the HEC token to grant access to the new indexes. See Set up the HTTP Event Collector on the distributed Splunk Cloud Platform or Enterprise instance in the Install and Configure Splunk App for SOAR manual for instructions.
  10. Perform this step if you are using a cluster. Run the following commands on each node in your cluster: 
    pkill --full add_to_searchindex
<PHANTOM_HOME>/bin/phsvc restart uwsgi
  11. Reindex all indexes to search for the data created while using the new prefixes. See Reindex data in the Install and Configure Splunk App for SOAR manual.

Use a custom prefix when you want to change your Splunk Cloud Platform or Splunk Enterprise instance

This feature is deprecated.
Custom indexes for Splunk SOAR (On-premises) data is deprecated as of release 6.2.0. Existing custom indexes will remain, but no new custom indexes can be created.

Although this feature continues to function, it might be removed in a future version.

If you have a situation where you want to use the same custom prefix on your instance with a different or new Splunk Cloud Platform or Splunk Enterprise instance, perform the following tasks:

  1. Follow the instructions in either Set up remote search on a standalone Splunk Cloud Platform or Enterprise instance or Set up remote search on a distributed Splunk Cloud Platform or Enterprise instance in the Install and Configure Splunk App for SOAR manual to connect your instance with the Splunk Cloud Platform or Splunk Enterprise.
  2. Run the set_preference command to create the new prefix.
  3. Update the Splunk administration for the HEC token to grant access to the new indexes.
  4. Reindex all indexes to search for the data created while using the new prefixes.
Last modified on 02 April, 2024
PREVIOUS
Customize email templates in 		  NEXT
Configure forwarders to send SOAR data to your Splunk deployment

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters