Splunk® App for SOAR

Use Splunk App for SOAR

Use the Automation Insights dashboards

Use the dashboards available in the Automation Insights dropdown to see metrics about the actions that run on your Splunk SOAR instances. The Automation Analytics dashboard helps you understand what actions are running on your Splunk SOAR instances, and the Action Run Search dashboard helps you understand specific actions being run on your Splunk SOAR instances. You can also filter what actions you see so that you can find the exact information you need, when you need it.

The Automation Analytics dashboard

Use the Automation Analytics dashboard to understand what actions are running on your Splunk SOAR instances.

This dashboard contains many visualizations that are helpful for understanding the actions analysts take in your Splunk SOAR instances:

  • Action Execution Over Time: This visualization shows the count and average execution time of successful and failed actions that analysts have taken over a period of time. You can specify the period of time from the dropdown menu with the default value, Last 24 hours. You can also use the legend items, count: failed, count: success, execution_time: failed, and execution_time: success, to filter what information displays in the visualization.
  • Most Active Analysts: This visualization shows the top ten most active analysts in your Splunk SOAR instances. The visualization displays those users' IDs and the number of actions they've executed in your Splunk SOAR instances. If you have more than Splunk SOAR instance that you're monitoring, you can specify the instance you want to see by selecting the name of that instance from the legend or the name of the instance from the Index Prefix dropdown.
  • Most Active Actions: This visualizations shows the top ten most run actions in your Splunk SOAR instances. You can filter by whether the actions were successes or failures.
  • Action Run by Status: This visualization shows the number of successful and failed action runs as a percentage. If you hover over the portions of the pie chart, a pop-up displays the status, count, and count%.
  • Actions with Highest Failure by Asset: This visualization shows the top ten actions that failed by asset. You can filter by asset by selecting the desired asset from the legend.
  • Action Run Count by Status: This visualization shows the counts of successful and failed actions that have been run by the name of the action.

Filter information in the Automation Analytics dashboard

All of the visualizations are affected by the three dropdowns on the page, the Last 24 hours, Index Prefix, and User ID (Username) dropdowns. Use those dropdowns to filter out unnecessary information and find what you need. Many of the visualizations can be filtered further by selecting or hovering over their index items.

The Action Run Search dashboard

Use the Action Run Search dashboard to better understand specific actions being run on your Splunk SOAR instances.

This dashboard contains one visualizations and a table. Both are helpful for understanding the actions analysts take in your Splunk SOAR instances:

  • Automation Timechart: This visualization shows the count and average execution time of playbooks that analysts have run over a period of time. You can specify the period of time from the dropdown menu with the default value, Last 24 hours. You can also use the legend items, count and execution_time_sec, to filter what information displays in the visualization.
  • Action Run Table: This table shows specific actions that analysts have taken in your Splunk SOAR instances.

Filter information in the Action Run Search dashboard

All of the visualizations are affected by dropdowns, checkboxes, and fields on the page, the Last 24 hours, Index Prefix, and User ID (Username) dropdowns; the Status checkboxes; and Playbook Run ID field. Use those to filter out unnecessary information and find what you need. The visualization can be filtered further by selecting or hovering over its index items.

Last modified on 27 June, 2022
Understand dashboards in Splunk App for SOAR   Use the SOAR Container Overview dashboard

This documentation applies to the following versions of Splunk® App for SOAR: 1.0.0, 1.0.38, 1.0.41, 1.0.57, 1.0.67


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters