Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Set up Splunk Enterprise

If is installed as a stand-alone product, it includes a version of Splunk Enterprise as the internal search engine. You can also configure to use an external Splunk instance for searching. A cluster also requires an external Splunk Enterprise instance.

Review the product compatibility matrix in Check prerequisites for Splunk App for SOAR in the Install and Configure Splunk App for SOAR manual to make sure compatible versions of the Splunk platform and are being used.


The Splunk App for SOAR defines the user roles and indices needed by to use Splunk Enterprise for searches.

Install Splunk Enterprise and add-ons

  1. Install and configure Splunk Enterprise from the documentation. See the Splunk Enterprise Installation Manual.
  2. Configure your firewall to allow access. For a complete list of ports, see required ports.
  3. Install the Splunk App for SOAR. See Where to get more apps and add-ons in the Splunk Enterprise Admin Manual.
  4. Set up the HTTP Event Collector in Splunk. See Set up and use HTTP Event Collector in Splunk Web in the Splunk Enterprise Getting Data In manual.

Create required user accounts for Splunk SOAR (On-premises)

requires two user accounts with roles added by the Splunk App for SOAR. The roles are phantomsearch and phantomdelete. You can use any user names you like for these accounts. These instructions use phantomsearch and phantomdelete.

See Add the phantomsearch and phantomdelete user accounts in Install and Configure Splunk App for SOAR for more information.

  1. Select Settings > Access Controls.
  2. Click Users.
  3. Click New User.
  4. Type phantomsearch for Name.
  5. Set and confirm a password for this user which complies with your organization's security policies.
  6. Under Assigned role(s), in the Selected item(s) box, select user to remove that role.
  7. Under Assigned role(s), in the Available item(s) box, select phantomsearch to add that role.
  8. Deselect the Require password change on first login check box.
  9. Click Save.
  10. Click New User.
  11. Type phantomdelete for Name.
  12. Set and confirm a password for this user which complies with your organization's security policies.
  13. Under Assigned role(s), in the Selected item(s) box, select user to remove that role.
  14. Under Assigned role(s), in the Available item(s) box, select phantomdelete to add that role.
  15. Deselect the Require password change on first login check box.
  16. Click Save.

Configure Splunk SOAR (On-premises) instances to use external Splunk Enterprise

After your instances have been installed, configure them to use the external Splunk Enterprise.

You need a Splunk Enterprise license to use external Splunk Enterprise for remote search. If you do not already have one, please work with your Delivery Team to purchase one.

You need the host name of your Splunk Enterprise server, the HTTP Event Collector token, and the passwords for the user accounts with the phantomsearch and phantomdelete roles.

  1. Log in to as an administrative user.
  2. From the Main Menu, select Administration.
  3. Select Administration Settings > Search Settings.
  4. From Search Endpoint, select the radio button for External Splunk Enterprise Instance.
  5. Type the host name of your Splunk Enterprise server in the Host field.
  6. Type the user name and password for the user account with the phantomsearch role in the Username and Password fields.
  7. Type the user name and password for the user account with the phantomdelete role in the Username and Password fields.
  8. Type the port number that Splunk Enterprise uses to listen for REST API calls in the REST Port field.
  9. Select the Use SSL for REST to enable SSL for REST API calls.
  10. Select the Verify Certificate for REST to validate the SSL certificate used for REST API calls. Requires a trusted certificate configured in your certificate store.
  11. Type the port number for the Splunk Enterprise HTTP Event Collector in the HTTP Event Collector Port field.
  12. Select the Use SSL for HTTP Event Collector check box to enable SSL for the HTTP Event Collector.
  13. Paste the HTTP Event Collector token in the HTTP Event Collector Token field.
  14. Select the Verify Certificate for HTTP Event Collector check box to validate the SSL certificate used by the Event Collector. This requires a trusted certificate configured in your certificate store.
  15. Click Save Changes.
Last modified on 19 September, 2023
Set up a load balancer with an HAProxy server   upgrade overview and prerequisites

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.4.0, 5.5.0, 6.0.0, 6.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters