Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Tune performance by managing features

An administrator can tune performance of their deployment by toggling the Indicators feature or removing audit logs from the deployment after they have been downloaded.

Enable or disable the indicators feature

Prior to 4.8, retrieval of indicator records did not scale in some large deployments with hundreds of thousands of indicator records. Improvements have been made to enhance performance, but some administrators may wish to disable the feature entirely.

An administrator can toggle the Indicators feature of by running a script from the *nix shell command line.

Disabling the Indicators feature removes it from the Main Menu, from the events page, and from context menus in the investigations page.

When indicators are disabled, the indicator REST APIs return response 400, with the message body: 

{
    "failed": true,
    "message": "The indicators feature is not enabled."
}

Affected APIs

  • /rest/indicator
  • /rest/indicator_by_value
  • /rest/indicator_artifact
  • /rest/indicator_artifact_timeline
  • /rest/indicator_stats_indicator_count
  • /rest/indicator_stats_top_labels
  • /rest/indicator_stats_top_types
  • /rest/indicator_stats_top_values
  • /rest/ioc
  • /rest/indicator_common_container

See REST Indicators.

Toggle the Indicators feature

To disable Indicators:

  1. SSH to your instance.
    SSH <username>@<phantom_hostname>
  2. Run the set_preference command.
    phenv set_preference --indicators no

To enable Indicators:

  1. SSH to your instance.
    SSH <username>@<phantom_hostname>
  2. Run the set_preference command.
    phenv set_preference --indicators yes

It can take as much as five minutes for the indicators feature to be hidden or to show from the Splunk SOAR (On-premises) UI after the set_preference command has been run.

Delete indicators

Indicators can provide valuable insights by cross-correlating cases, reports, or emails that contain data about an event on a network or device. When indicators are not tuned correctly, they can generate an excessive amount of records that impact the overall performance of the platform.

An administrator can improve system performance by deleting indicators from the platform by using the delete_indicators.pyc script found in /<PHANTOM_HOME>/phantom/bin.

This script will permanently delete indicators and indicator_artifact_records from Splunk SOAR (On-premises). The records can't be recovered without restoring Splunk SOAR (On-premises) from a backup. Exercise caution when using this script. Prior to running this script, it is recommended to backup Splunk SOAR (On-premises) and pause ingestion so that race conditions aren't created. See Back up a Splunk SOAR (On-premises) deployment.

delete_indicators.pyc arguments

 # phenv python delete_indicators.pyc -h
usage: delete_indicators.py [-h] [--preserve-cef-fields [PRESERVE_CEF_FIELDS ...]] 
                         [--before BEFORE_TIMESTAMP]
                         [--after AFTER_TIMESTAMP]
                         [[-c CHUNK_SIZE] [--dry-run] [--transactional] [--non-interactive] 
                         [--log-level {NOTSET,DEBUG,INFO,WARNING,ERROR,CRITICAL}] {truncate}]
Argument Positional or optional? Description
{truncate} Positional See delete_indicators.pyc truncate arguments.
-h, --help Optional Show this help message and exit.
--preserve-cef-fields [PRESERVE_CEF_FIELDS ...] Optional Preserve indicators associated with only these CEF fields. Indicators associated with all other CEF fields are deleted. CEF fields are case-sensitive.
--before BEFORE_TIMESTAMP Optional Records created before this timestamp will be deleted. Records created after this timestamp will not be deleted. The timestamp value must be in yyyy-mm-dd [hh:mm:ss] format.
--after AFTER_TIMESTAMP Optional Records created after this timestamp will be deleted.

Records created before this timestamp will not be deleted. The timestamp value must be in yyyy-mm-dd [hh:mm:ss] format.

-c CHUNK_SIZE, --chunk-size CHUNK_SIZE Optional The maximum number of indicators to delete in a single request.
--dry-run Optional Do not run the DELETE queries. Use this argument to test your parameters before running the script for real.
--transactional Optional When set, the entire delete operation is done automatically. Depending on how many indicators your system has, this operation could take a long time. Don't run the operation transactionally if you want to pause and restart the deletion process.
--non-interactive Optional Do not block on user input. This flag is suitable for running as part of an unsupervised script.
--log-level {NOTSET, DEBUG, INFO, WARNING, ERROR, CRITICAL} Optional Set the log level. Default level is WARNING.

delete_indicators.pyc truncate arguments

The following command truncates all the indicator tables: indicators, artifact_indicators, and indicator_artifact_records from Splunk SOAR (On-premises). Truncation permanently removes all the records from these tables. Exercise caution when using this script. Prior to running this script, it is recommended to backup Splunk SOAR (On-premises). See Back up a Splunk SOAR (On-premises) deployment.

# phenv python delete_indicators.py truncate -h
usage: delete_indicators.py truncate [-h] 
            [--non-interactive] 
            [--log-level {NOTSET,DEBUG,INFO,WARNING,ERROR,CRITICAL}]


Argument Positional or optional? Description
-h, --help Optional Show this help message and exit.
--non-interactive Optional Do not block on user input. This flag is suitable for running as part of an unsupervised script.
--log-level {NOTSET, DEBUG, INFO, WARNING, ERROR, CRITICAL} Optional Set the log level. Default level is WARNING.

Examples

Test script parameters by using the --dry-run option first. In the following examples, the --dry-run option is only supported for the second example.

Delete all indicators, artifact_records, and indicator_artifact_records:

# phenv python delete_indicators.pyc truncate


Delete indicator_artifact_records between July 1 and December 1 2022 except for those with cef fields "foo" or "bar", and the related indicators that aren't referenced elsewhere:

# phenv python delete_indicators.pyc --after 2022-07-01 --before 2022-12-01 --preserve-cef-fields foo bar

Delete audit logs

Downloading Audit logs could take a long time because all the records were loaded into memory before being written to a file. In version 4.8, audit logs have been changed to stream records to a file.

An administrator can remove audit logs after they have been manually downloaded and archived by using the delete_audit_logs.pyc script found in /<PHANTOM_HOME>/phantom/bin.

This script will permanently delete audit records from Splunk SOAR (On-premises). The records cannot be recovered without restoring Splunk SOAR (On-premises) from a backup. Exercise caution when using this script.

delete_audit_logs.pyc arguments

# phenv python delete_audit_logs.pyc-h
usage: delete_audit_logs.py [-h] [--before BEFORE_TIMESTAMP]
                            [--after AFTER_TIMESTAMP]
                            [--categories [CATEGORIES [CATEGORIES ...]]]
                            [--dry-run] [--non-interactive]
                            [--log-level {NOTSET,DEBUG,INFO,WARNING,ERROR,CRITICAL}]
Argument Description
-h, --help Show this help message and exit.
--before <BEFORE_TIMESTAMP> Records created before this timestamp will be deleted.

Records created after this timestamp will not be deleted. The timestamp value must be in yyyy-mm-dd [hh:mm:ss] format.

--after <AFTER_TIMESTAMP> Records created after this timestamp will be deleted.

Records created before this timestamp will not be deleted. The timestamp value must be in yyyy-mm-dd [hh:mm:ss] format.

--categories [CATEGORIES [CATEGORIES ...]] Only delete records with the given categories.

Examples of categories: user, container, playbook, administration, artifact.

--dry-run Do not run the DELETE queries. Use this argument to test your parameters before running the script for real.
--non-interactive Do not block on user input. This flag is suitable for running as part of an unsupervised script.
--log-level {NOTSET, DEBUG, INFO, WARNING, ERROR, CRITICAL} Set the log level. Default level is WARNING.

Examples

Test script parameters by using the --dry-run option first.

Delete all audit logs from before July 2019:

sudo phenv python delete_audit_logs.pyc --before 2019-07-01

Delete audit logs between July 1 and December 1 2019:

sudo phenv python delete_audit_logs.pyc --after 2019-07-01 --before 2019-12-01
Last modified on 15 November, 2023
Define tasks using workbooks   Use data retention strategies to schedule and manage your database cleanup

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters