Splunk® SOAR (On-premises)

Use Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Search within

The includes a search feature. This search is powered by the PostgreSQL database built-in to .

A Administrator can configure options for search from the Home menu, in Search Settings under Administration Settings. For more information, see Configure search in in the Administer manual.

Searching in

There is a search box in the upper left of every screen. Most screens also have a section specific search box below the menu bar. Section specific search boxes display text indicating what it will search. For example, on the Indicators screen, the section specific search box contains "Search indicator values".

For non section specific searches, when you enter a search term, it appears as part of the URL in the address bar, so you can create a bookmark.

For example: 

https://<Splunk SOAR URL>/search?query=events

Search results can vary as changes in occur between visits to the search page.

Initial search results are returned without filters applied. The search results page has a row of checkboxes for the following predefined filters; Containers, Artifacts, Actions, Assets, Apps, or Other to narrow your search results. Click the checkbox next the the filter you want to apply.

Search results are displayed in groups of 10 results per page. Use the menu in the bottom center of the search results page to view a up to a maximum of 100 results per page.

Available search operators in are:

  • The Boolean operator OR. Search for foo OR bar to find instances of either foo or bar in your search.
  • You can use the - character to exclude a term from your search. If you want to search for foo but not include bar, use foo -bar.
  • Quotation marks to search for exact phrases.
  • The wildcard character *. This character is only supported at the end of a string. This means you can search for foo* but not *foo or f*o.

Searching with multiple words creates an implied AND condition. For example, the term data path returns results containing both data and path. Use OR to find results containing either data or path.

Search examples

Search for the exact phase "data path": 

"data path"

Search for objects that contain both "data" and "path": 

data path

Search for objects that contain "data" or "path": 

data OR path

Search for objects that contain "data" but not "path": 

data -path

Search for any objects that contain a match for "dat": 

dat*
Last modified on 02 April, 2024
Create, sort, and filter notes in   View the list of configured playbooks in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters