This documentation does not apply to the most recent version of Splunk® App for SOAR.
For documentation on the most recent version, go to the latest release.
Add required indexes to your Splunk server
Starting in Splunk SOAR version 6.2.0, Splunk SOAR is using universal forwarders instead of remote search to bring your Splunk SOAR data into Splunk Enterprise or Splunk Cloud Platform and provide visibility of your Splunk SOAR data in your Splunk App for SOAR dashboards. For more information on universal forwarders, see the links later in this section.
To configure searching, add the required Splunk SOAR indexes to your Splunk server:
- Go to the Configurations tab.
- In the Advanced Options section, from the Create indexes (REQUIRED for SOAR Remote Search and SOAR System Logs) dropdown menu, select the Create Indexes option.
- Perform the steps for your Splunk SOAR version:
- For Splunk SOAR versions 6.2.0 and later:
Configure universal forwarders following the instructions for your Splunk SOAR deployment, see Configure search in Splunk SOAR (Cloud) or Configure search in Splunk SOAR (On-premises). - For Splunk SOAR versions 6.1.1 and earlier:
- Set up remote search on a standalone or distributed instance of Splunk Cloud Platform or Enterprise.
- Reindex your data to bring in data from Splunk SOAR into Splunk Cloud Platform or Enterprise.
- View any Splunk App for SOAR dashboard to make sure data is populating.
If you want past data to appear in Splunk App for SOAR dashboards, you must reindex your Splunk SOAR data. By default, only new data appears.
Last modified on 04 February, 2025
| Connect Splunk App for SOAR to Splunk SOAR | Set up the universal forwarder using Splunk SOAR version 6.2.x |
This documentation applies to the following versions of Splunk® App for SOAR: 1.0.41
Download manual
Feedback submitted, thanks!