Configure a Splunk asset in Splunk SOAR to pull data from the Splunk platform
In your Splunk SOAR instance, you can create and configure a new Splunk app asset to search the Splunk search head and to create on poll events that can be pulled from the Splunk platform to Splunk SOAR. On poll events allow the greatest flexibility in terms of defining which events to pull in and when to pull them in. You can use this on poll configuration to get data into Splunk SOAR when you are unable to push events from the Splunk platform to Splunk SOAR.
This functionality involves using the Splunk app within your Splunk SOAR instance. It is not a part of Splunk App for SOAR Export. Use this option when you cannot use either adaptive response actions (see Run adaptive response actions in Splunk ES to send notable events to Splunk SOAR) or adaptive response relay (see Use adaptive response relay to send notable events from Splunk ES to Splunk SOAR.).
Perform the following tasks to configure a new Splunk asset in Splunk SOAR:
- Log in to your Splunk SOAR instance.
- From the main menu, click Apps.
- Search for Splunk, then click Configure New Asset in the Splunk app row.
- Give the asset a name such as splunkes and also enter a description.
- Click the Asset Settings tab.
- Add the IP address of your Splunk instance.
- Add phantomsearch as the user name and specify a password.
- Select the appropriate time zone.
- On Splunk Cloud Platform, you must select the Validate Server Certificate checkbox. On Splunk Enterprise, certificate validation is optional.
- Enter the query in the Query to use with On Poll field. For example:
| makeresults | eval src_ip="22.214.171.124"
- Enter src_ip, _raw in the Name to give containers created via ingestion field.
- Click the Ingest Settings tab and select events as the Label to apply to objects form this source.
- Click Save.
- Verify the configuration by clicking Asset Settings, and then Test Connectivity. Make sure you get a message indicating a successful test. If you do not, check for a typo in the user name, password, removed permissions, or invalid commands.
- Create a poll request to verify that data can be pulled from the Splunk platform into Splunk SOAR.
- Click the Ingest Settings tab.
- Click Poll Now, verify the default settings, then click Poll Now again.
- Verify the response indicates that one container and artifact were created.
- Click Close.
- From the main menu, select Sources and verify the Test On Poll container and artifact.
For more information about polling and assets in Splunk SOAR, see Add and configure apps and assets to provide actions in Splunk SOAR in the Administer Splunk SOAR documentation.
Use adaptive response relay to send notable events from Splunk ES to Splunk SOAR
Synchronize workbooks across multiple Splunk SOAR servers
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.117, 4.1.135, 4.2.3, 4.3.2