Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

Install the Splunk App for SOAR Export on Splunk Enterprise

Install the Splunk App for SOAR Export on a single search head, search head cluster environment, or distributed Splunk Enterprise deployment.

If you are configuring a Splunk SOAR (On-premises) cluster, configure the cluster before configuring Splunk App for SOAR Export. Any configuration or information on a stand-alone Splunk SOAR instance is erased when the instance is joined to an existing cluster. See Create a Splunk SOAR (On-premises) Cluster in the Install and Upgrade Splunk SOAR (On-premises) manual.

Install Splunk App for SOAR Export on a single search head

You can install Splunk App for SOAR Export on a single search head from within Splunk Enterprise or from Splunkbase. Each method is described in this section.

To install the Splunk App for SOAR Export from within Splunk Enterprise, follow these steps:

  1. In Splunk Enterprise, select the Apps gear icon.
  2. Select Browse more apps.
    The Splunk App Browser opens.
  3. In the search field, enter SOAR Export.
  4. Locate Splunk App for SOAR Export, then select Install.
  5. Enter your Splunk.com login credentials (username and password).
  6. Select Agree and Install.
    This confirms that you accept the license terms and installs the app on your deployment.

To install the Splunk App for SOAR Export using Splunkbase, follow these steps:

  1. Download Splunk App for SOAR Export from Splunkbase.
  2. Log into your Splunk Enterprise instance.
  3. In the apps panel, select the gear icon.
  4. Select Install app from file.
  5. Upload the Splunk App for SOAR Export file you downloaded earlier in this procedure.
  6. Confirm that you want to restart Splunk Enterprise to complete the installation.

Install the Splunk App for SOAR Export in a search head cluster

Use a deployer to install the Splunk App for SOAR Export in a search head cluster environment. See Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.

Authorize the Splunk App for SOAR Export in the Splunk cluster captain node's server.conf file so that configuration changes made to the Splunk App for SOAR Export can be replicated within the search head cluster.

  1. Edit the $SPLUNK_HOME/etc/system/local/server.conf file.
  2. Add the following configuration:
    [shclustering]
    conf_replication_include.phantom  = true
    
  3. Restart Splunk Enterprise for the changes to take effect.

Install the Splunk App for SOAR Export in a distributed Splunk Enterprise environment

Use the tables below to determine where and how to install the Splunk App for SOAR Export in a distributed Splunk Enterprise deployment.

Where to install the app in a distributed deployment

Use the table to determine where to install the Splunk App for SOAR Export in a distributed Splunk Enterprise deployment.

Splunk instance type Install the add-on here? Comments
Search Heads Yes Install this add-on on the search head.
Indexers Yes The add-on uses the cim_modactions index for alert and adaptive response actions.
Forwarders No The add-on does not contain inputs for forwarder data collection.

Distributed deployment compatibility

Use the table to check the compatibility of the Splunk App for SOAR Export with Splunk Enterprise distributed deployment features.

Distributed deployment feature Supported Comments
Search Head Clusters Yes Use the search head cluster deployer to distribute the add-on across search head cluster members. See Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.
Indexer Clusters Yes The add-on uses the cim_modactions index for alert and adaptive response actions.
Deployment Server No The add-on does not contain inputs for forwarder data collection.
Last modified on 03 September, 2024
Check prerequisites for Splunk App for SOAR Export on Splunk Enterprise   Upgrade Splunk App for SOAR Export on Splunk Enterprise

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.3.13


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters