Install Splunk App for SOAR on Splunk Enterprise
Install Splunk App for SOAR on a single search head or a search-head cluster environment.
Install the Splunk App for SOAR on a single search head
To install the Splunk App for SOAR on a single search head, follow these steps:
- Check the prerequisites and required steps described in Check prerequisites for Splunk App for SOAR.
- Download Splunk App for SOAR from Splunkbase.
- Log in to your Splunk Cloud or Enterprise instance.
- Select Install app from file, or select Browse more apps, search for Splunk App for SOAR, and then select Install.
- Confirm that you want to restart Splunk Cloud or Enterprise.
If you're installing Splunk App for SOAR on an Splunk Enterprise unclustered, distributed environment with more than one indexer, you must also install the app on each indexer in the environment.
You can also search for and download the Splunk App for SOAR from within Splunk Enterprise or Cloud. Go to Manage Apps and then select Browse more apps.
Install the Splunk App for SOAR on a search head cluster
Before you begin, check the prerequisites and required steps as described in Check prerequisites for Splunk App for SOAR.
To avoid viewing all of the Splunk App for SOAR inputs while you are performing your configuration, temporarily change the output settings.
Perform these steps after installing the app and before creating the indexes for either scenario in the following sections.
- Within Splunk Cloud or Splunk Enterprise, select Settings > Data Inputs > Files & Directories.
- In the filter field, enter
splunk_app_soar
to find input sources used for the Splunk App for SOAR. - For any input sources you do not want to view during the configuration, select Disable in the appropriate row.
Important: If you change any output settings, remember to revert those settings after you create the indexes, so you will see output in the future.
Clustered environment without an indexer cluster
Use a deployer to install Splunk App for SOAR in a search-head cluster environment. See Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.
Clustered environment with an indexer cluster
Follow the instructions in the previous section, Clustered environment without an indexer cluster, with the following specifics:
- Install the app on the manager node.
- Create indexes from the manager node. Open Splunk App for SOAR in the manager node, go to the Configurations tab, and then select Create Indexes.
Check prerequisites for | Install Splunk App for SOAR on Splunk Cloud Platform |
This documentation applies to the following versions of Splunk® App for SOAR: 1.0.0
Feedback submitted, thanks!