For details, see:
Configure search in
In earlier releases of search was handled by an embedded version of Splunk Enterprise. Beginning with release 6.2.0, uses PostgreSQL full-text search, which has been modified to accept the * wildcard. For search syntax and examples, see Search within .
To improve the ability to get data into a Splunk Cloud Platform, support was added for Universal Forwarders. For information about configuring forwarders, see Configure forwarders to send SOAR data to your Splunk deployment.
Configure to forward data to Splunk Cloud Platform
Integrating with Splunk Cloud Platform requires the following actions:
- Configure Universal Forwarders and a Universal Forwarder Credentials Package. See Configure forwarders to send SOAR data to your Splunk deployment.
Configure the scope of global search using the REST API
You can control the scope used by global search in , using the /rest/feature_flag/restrict_global_search REST API endpoint. See /rest/feature_flag/<feature_flag_name> for details of the /rest/feature_flag REST API, the parameters it accepts, and examples for changing settings using the endpoint.
In the interest of performance, restrict_global_search defaults to "on" and has the following settings applied:
- Searching the database tables app_run, action_run, and playbook_run are turned off.
- The maximum age of database table entries will be searched is 30 days.
| Customize email templates in | Configure forwarders to send SOAR data to your Splunk deployment |
This documentation applies to the following versions of Splunk® SOAR (Cloud): current
Download manual
Feedback submitted, thanks!