Splunk® SOAR (Cloud)

Administer Splunk SOAR (Cloud)

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure forwarders to send SOAR data to your Splunk deployment

In release 6.2.0, the embedded instance of Splunk Enterprise has been replaced with Universal Forwarders.

These universal forwarders allow for better scaling, better performance, and reduced resource usage for getting your SOAR data into your Splunk deployment.

After upgrading to Splunk SOAR (Cloud) release 6.2.0, you no longer require the user accounts phantomsearch and phantomdelete on your Splunk Enterprise or Splunk Cloud Platform deployment.

Configure data forwarding

This section applies if you are forwarding data from Splunk SOAR (Cloud) to Splunk Cloud Platform. If you are not using that specific combination, no action is required. You must complete these steps to ensure your Splunk SOAR (Cloud) data continues to be forwarded.

Configuration before your is upgraded

This section applies if you are forwarding data from to either an external instance of Splunk Enterprise or Splunk Cloud Platform.

  1. In your Splunk Cloud Platform deployment, get a Universal Forwarder Credentials Package.
    For details, see Install and configure the Splunk Cloud Platform universal forwarder credentials package in the Splunk Universal Forwarder documentation.
    1. In Splunk Cloud Platform, select Apps, then Universal Forwarder.
    2. Select Download Universal Forwarder Credentials.
  2. Conditional: If your Splunk Cloud Platform deployment is in a restricted access category, you must request that TCP port 9997 be opened on your Splunk Cloud Platform.
  3. In , upload the credentials package from Step 1.
    1. From the Home menu, select Administration, then Administration Settings. Then select Search Settings.
    2. Confirm that Distributed Splunk Enterprise Deployment is selected. Upload the Splunk Universal Forwarder Credentials Package associated with your Splunk Cloud Platform instance.

After you have uploaded and saved the Universal Forwarder Credentials Package, your connection to your Splunk Cloud Platform deployment will migrate correctly when your deployment is upgraded to release 6.2.0.

Optional, post-upgrade steps: Adding new data types

After you perform the steps in the previous section, all of your previously configured data types are automatically selected. Your forwarding will work as it did in previous releases.

If you choose, you can add one or more of three additional forwarding data types that are added in 6.2.0.

  • Audit logs: Records of all activities in .
  • Playbook run: Playbook performance metrics, including resource scoring data.
  • SOAR logs: Information about , based on app logs.

If you choose to forward the Playbook run data type, you must first create the phantom_playbook_run index in your destination Splunk Enterprise or Splunk Cloud Platform instance. See Create Events Indexes in the Splunk Enterprise documentation or Create a Splunk Cloud Platform events index in the Splunk Cloud Platform documentation.

To add one or more of these new forwarding data types, follow these steps AFTER your stack is upgraded to version 6.2.0:

  1. From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
  2. Locate the forwarder group to update and select the edit button.
  3. Select the Data types you want to ingest into Splunk Cloud Platform, then select Save.

Configuration after your is upgraded

To configure data forwarding after your is upgraded, follow these steps:

If you choose to forward the Playbook run data type in step 2 of this process, you must first create the phantom_playbook_run index in your destination Splunk Enterprise or Splunk Cloud Platform instance. See Create Events Indexes in the Splunk Enterprise documentation or Create a Splunk Cloud Platform events index in the Splunk Cloud Platform documentation.

  1. In your Splunk Cloud Platform deployment, get a Universal Forwarder Credentials Package.
    For details, see Install and configure the Splunk Cloud Platform universal forwarder credentials package in the Splunk Universal Forwarder documentation.
    1. In Splunk Cloud Platform, select Apps, then Universal Forwarder.
    2. Select Download Universal Forwarder Credentials.
  2. In , upload the credentials package from Step 1.
    1. From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
    2. Select +Install Credentials Package.
    3. Upload the Splunk Universal Forwarder Credentials Package associated with your Splunk Cloud Platform instance.
    4. Select the Data types you want to ingest into Splunk Cloud Platform.
      There are three additional forwarding data types that are added in Splunk SOAR 6.2.0:
      • Audit logs: Records of all activities in Splunk SOAR.
      • Playbook run: Playbook performance metrics, including resource scoring data.
      • SOAR logs: Information about Splunk SOAR, based on app logs
    5. Select Save.

After you complete these steps, data will begin to stream from to Splunk Cloud Platform.

Configure forwarding to a Splunk Enterprise deployment

If your organization forwards data to a Splunk Enterprise deployment, you need to configure your forwarders. To configure data forwarding follow these steps:

  1. From the Home menu, select Administration, then Administration Settings. Then select Forwarder Settings.
  2. Select +New Group.
  3. In the Add a new forwarder group dialog do the following:
    1. In the Name field, type a name for your forwarder group (do not use the name splunk). This name is displayed on the Forwarder Settings page.
    2. Conditional: If you use a TCP token to authenticate to your Splunk Enterprise deployment, add it to the Token field.
    3. In the Indexers field, add the address for your indexer.Click the Add Another if you have more indexers to add. You can remove an indexer from the list by using the - button at the end of the indexer's address field.
    4. Select the Data types you want to ingest into Splunk Cloud Platform or Splunk Enterprise.
  4. Make sure the Enabled slider button is in the on position.
  5. Click Save.

After you complete these steps, data will begin to stream from to your Splunk Enterprise deployment.

Data types and corresponding indexes

This table shows the connection between the forwarded Data type and the index it corresponds to in Splunk Enterprise or Splunk Cloud Platform.

Splunk SOAR Data type Index in Splunk Enterprise/Splunk Cloud Platform
Action run phantom_action_run
App phantom_app
App run phantom_app_run
Artifact phantom_artifact
Asset phantom_asset
Audit log _audit
Container phantom_container
Container attachment phantom_container_attachment
Container comment phantom_container_comment
Custom function phantom_custom_function
Custom list phantom_decided_list
Note phantom_note
Playbook phantom_playbook
Playbook run phantom_playbook_run
You must create this index before forwarding data.
SOAR logs splunk_app_soar
Splunk addon for Linux logs os

See Also

For more information about getting data into Splunk Enterprise or Splunk Cloud Platform see these additional resources.

Last modified on 31 January, 2024
PREVIOUS
Configure search in
  NEXT
Configure Google Maps for visual geolocation data

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters