Splunk® App for SOAR

Install and Configure Splunk App for SOAR

Add required indexes to your Splunk server

Starting in Splunk SOAR version 6.2.0, Splunk SOAR is using universal forwarders instead of remote search to bring your Splunk SOAR data into Splunk Enterprise or Splunk Cloud Platform and provide visibility of your Splunk SOAR data in your Splunk App for SOAR dashboards.

To configure searching, add the required Splunk SOAR indexes to your Splunk server:

  1. Go to the Configurations tab.
  2. In the Advanced Options section, from the Create indexes (REQUIRED for SOAR Remote Search and SOAR System Logs) dropdown menu, select the Create Indexes option.
  3. Configure universal forwarders following the instructions for your Splunk SOAR deployment, see Configure search in Splunk SOAR (Cloud) or Configure search in Splunk SOAR (On-premises).
  4. View any Splunk App for SOAR dashboard to make sure data is populating.

If you want past data to appear in Splunk App for SOAR dashboards, you must reindex your Splunk SOAR data. By default, only new data appears.

Last modified on 04 February, 2025
Connect Splunk App for SOAR to Splunk SOAR   Set up the universal forwarder using Splunk SOAR

This documentation applies to the following versions of Splunk® App for SOAR: 1.0.57, 1.0.67, 1.0.71

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters