Splunk® App for SOAR

Install and Configure Splunk App for SOAR

This documentation does not apply to the most recent version of Splunk® App for SOAR. For documentation on the most recent version, go to the latest release.

Install Splunk App for SOAR on Splunk Enterprise

Install Splunk App for SOAR on a single search head or a search-head cluster environment.

Install the Splunk App for SOAR on a single search head

To install the Splunk App for SOAR on a single search head, follow these steps:

  1. Check the prerequisites and required steps described in Check prerequisites for Splunk App for SOAR.
  2. Download Splunk App for SOAR from Splunkbase.
  3. Log in to your Splunk Cloud or Enterprise instance.
  4. Select Install app from file, or select Browse more apps, search for Splunk App for SOAR, and then select Install.
  5. Confirm that you want to restart Splunk Cloud or Enterprise.

If you're installing Splunk App for SOAR on an Splunk Enterprise unclustered, distributed environment with more than one indexer, you must also install the app on each indexer in the environment.

You can also search for and download the Splunk App for SOAR from within Splunk Enterprise or Cloud. Go to Manage Apps and then select Browse more apps.

Install the Splunk App for SOAR on a search head cluster

Before you begin, check the prerequisites and required steps as described in Check prerequisites for Splunk App for SOAR.

To avoid viewing all of the Splunk App for SOAR inputs while you are performing your configuration, temporarily change the output settings.
Perform these steps after installing the app and before creating the indexes for either scenario in the following sections.

  1. Within Splunk Cloud or Splunk Enterprise, select Settings > Data Inputs > Files & Directories.
  2. In the filter field, enter splunk_app_soar to find input sources used for the Splunk App for SOAR.
  3. For any input sources you do not want to view during the configuration, select Disable in the appropriate row.

Important: If you change any output settings, remember to revert those settings after you create the indexes, so you will see output in the future.


Clustered environment without an indexer cluster

Use a deployer to install Splunk App for SOAR in a search-head cluster environment. See Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.


Clustered environment with an indexer cluster

Follow the instructions in the previous section, Clustered environment without an indexer cluster, with the following specifics:

  • Install the app on the manager node.
  • Create indexes from the manager node. Open Splunk App for SOAR in the manager node, go to the Configurations tab, and then select Create Indexes.
Last modified on 01 March, 2023
Check prerequisites for   Install Splunk App for SOAR on Splunk Cloud Platform

This documentation applies to the following versions of Splunk® App for SOAR: 1.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters