Splunk® SOAR (Cloud)

Administer Splunk SOAR (Cloud)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Set global environment settings for

You can set and manage settings that will apply to the environment, such as a global environment variable or the global action limit.

Set global environment variables

You can set environment variables that apply globally across the runtime environment to manage proxies or other features. You can also override or provide these variables on a per-app basis in the app advanced configuration. Changes to global environment settings will not be applied until the platform is restarted.

To make changes to the global environment:

  1. From the main menu, select Administration.
  2. Click Administration Settings > Environment Settings.
  3. Click +Variable to add a new environment variable.
  4. In the Name field, specify HTTP_PROXY, HTTPS_PROXY, or NO_PROXY depending on the type of proxy connection. These environment variables are read by all processes and affect the entire product including external search connections, app and asset connections, and requests made from within playbooks.

    These variable names are case sensitive and must be entered as HTTP_PROXY, HTTPS_PROXY, or NO_PROXY.

  5. In the Value field, include the following depending on the type of proxy configuration. Wildcards are not supported.
    1. HTTP and HTTPS proxy configurations: protocol, hostname or IP address, and the port of the proxy server. For example,
      <protocol>://<hostname/IP>:<port>
    2. NO_PROXY configurations: IP address, hostname, or domain of the asset.
    3. (Conditional) If the proxy server requires authentication, consider the following items:
    • <scheme>://[<username>[:<password>]@]<host>[:port]> is the scheme (http or https), optional username and password, host name or IP address, and optional port number used to connect to the proxy server.
    • The scheme and host are required.
    • If using a proxy server that requires authentication may need a service account on the proxy server.
    • If authentication credentials (username/password) are specified, the "secret" box should be selected so that the username and password are stored in encrypted format.
    • If port is not specified it defaults to port 80 when the scheme is http, and port 443 when the scheme is https.
  6. Check Secret to encrypt the Value field and stop it from being displayed.

When configuring the system to use an HTTP or HTTPS proxy, Splunk SOAR (Cloud) requires that you except calls to the loopback interface from the proxy list. You must set the environment variable NO_PROXY to include 127.0.0.1, localhost, and localhost.localdomain so that REST calls can be made on the loopback interface without being diverted to the proxy.

Apply environment variables to individual assets

You can also apply environment variables to configured assets individually. If you are using NO_PROXY, the asset configuration takes precedence over the global environment variable. However, if you are using HTTPS_PROXY, the global environment variable takes precedence over the asset configuration. For more information, see Add and configure apps and assets to provide actions in .

Set the global action concurrency limit

The global action concurrency limit designates the maximum number of concurrent actions across all assets on the platform.

  • The default setting is 150 concurrent actions on the SOAR platform.
  • The Splunk Automation Broker has a default limit of 50 concurrent actions per broker. Setting a higher limit of concurrent actions on the broker than on the platform does nothing.

When changing the global action limit, ensure the existing action limits set on all of your assets is still within the new global limit. Use caution when changing the global action limit as it can significantly affect performance.

To change the local concurrent action limit in , follow these steps.

  1. From the Home menu, select Administration.
  2. Click Administration Settings > Environment Settings.
  3. Enter your desired action limit in the box. Use caution when changing this limit because doing so can have a significant effect on performance.
  4. Click Save Changes.

To change the local concurrent action limit in the Automation Broker, follow these steps.

  1. Edit brokerd.conf by either:
    • navigating to your data directory on the Docker host operating system.
    • by logging into the Automation Broker container to edit the file in the /broker directory.
    See Change Splunk SOAR Automation Broker settings by editing brokerd.conf in Set Up and Manage the Splunk SOAR Automation Broker.
  2. Set the value for global_concurrency_limit to the desired value.
  3. Save and exit the file.
  4. Restart the Automation Broker. See Interact with the Splunk Automation Broker in Set Up and Manage the Splunk SOAR Automation Broker.

See also

Concurrent actions limits can be controlled at the app or connector level and on individual assets. You can also change the number of concurrent actions the Automation Broker allows by editing the brokerd.conf file on the Automation Broker container.

Last modified on 05 December, 2024
Create custom CEF fields in   View related data using aggregation rules

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters