Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

This documentation does not apply to the most recent version of Splunk® App for SOAR Export. For documentation on the most recent version, go to the latest release.

Configure global field mappings

Use global field mappings when you have mappings that you want to apply for all your data model and saved search exports. Global field mappings provide consistency in the CEF mappings for events sent to Splunk SOAR, and can also save you time when configuring your data model or saved search exports.

How global field mappings are created

Global field mappings are created when you configure or edit event forwarding. For example:

  1. Configure a new data model or saved search export. See Create and export data models and saved searches to send to Splunk SOAR.
  2. Configure your desired mappings for the unmapped fields, then click Save Mappings to save the mappings as global field mappings.

The next time you configure a data model or saved search export, any fields that are mapped with global field mappings will appear in the Mapped Fields section. Global field mappings are only applied to new data model or saved search export configurations and not to any existing event forwarding configurations.

Global field mappings are created automatically for Splunk Enterprise Security (ES) notable events.

If you map a field that already exists as a global field mapping, the existing global field mapping is overwritten.

For this release: When working with time, map to a CEF field other than _time.

Updating CIM to CEF mappings when accessing the global field mappings for the first time

The first time you access the Global Field Mapping page, the default CIM-to-CEF mappings defined in Splunk SOAR are displayed. Configure and save the desired mappings to use them in your saved searches and data models. The default CIM-to-CEF mappings are not displayed again when you access the Global Field Mapping page any subsequent time.

Forward unmodified data to Splunk SOAR

Delete a global field mapping to send the raw, unmodified data to Splunk SOAR.

Perform the following tasks to delete a global field mapping:

  1. In your Splunk platform instance, access the Splunk App for SOAR Export.
  2. Click Configure Global Field Mappings.
  3. Click Delete for the field mapping you want to delete.
  4. Click Delete in the dialog box to confirm that you want to delete the mapping.
Last modified on 27 May, 2023
Synchronize workbooks across multiple Splunk SOAR servers   Configure how Splunk SOAR handles multivalue fields in Splunk ES notable events

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.117, 4.1.135


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters