Splunk® SOAR (On-premises)

Use Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Search within

The includes a search feature. This search is powered by the PostgreSQL database built-in to .

Searching in

There is a search box in the upper left of every screen. Most screens also have a section specific search box below the menu bar. Section specific search boxes display text indicating what it will search. For example, on the Indicators screen, the section specific search box contains "Search indicator values".

For non section specific searches, when you enter a search term, it appears as part of the URL in the address bar, so you can create a bookmark.

For example: 

https://<Splunk SOAR URL>/search?query=events

Search results can vary as changes in occur between visits to the search page.

Initial search results are returned without filters applied.

The search results page has a row of checkboxes on the left side for the following predefined filters; All, Containers, Artifacts, Actions, Assets, Apps, Playbook Run, or Other to narrow your search results. You can use multiple filters. Select the checkbox next the the filter or filters you want to apply.

Search results are displayed in groups of 10 results per page. Use the menu in the bottom center of the search results page to view a up to a maximum of 100 results per page.

Search results are not cached. Navigating the results, such as by clicking for the next page of results runs a new search. To reduce the number of searches, you can increase the number of items shown for each page of search results using the menu in the lower right of the search screen.

Available search operators in are:

  • The Boolean operator OR. Search for foo OR bar to find instances of either foo or bar in your search.
  • You can use the - character to exclude a term from your search. If you want to search for foo but not include bar, use foo -bar.
  • Quotation marks to search for exact phrases.
  • The wildcard character *. This character is only supported at the end of a string. This means you can search for foo* but not *foo or f*o.

Searching with multiple words creates an implied AND condition. For example, the term data path returns results containing both data and path. Use OR to find results containing either data or path.

Search examples

Search for the exact phase "data path": 

"data path"

Search for objects that contain both "data" and "path": 

data path

Search for objects that contain "data" or "path": 

data OR path

Search for objects that contain "data" but not "path": 

data -path

Search for any objects that contain a match for "dat": 

dat*

Search for a playbook run id: 

id: <id number>

Search for a playbook status: 

status:<desired status>
Last modified on 28 May, 2024
Create, sort, and filter notes in   View the list of configured playbooks in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.2, 6.3.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters