Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:


Splunk SOAR (On-premises) is a Security Orchestration, Automation, and Response (SOAR) system. The platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.

This manual is intended to be used by the person or team administering the system.

The following topics are discussed in this manual:

Feature Description
Company Settings Information about your company, contacts, and your license.
Administration Settings All the settings to configure the behavior and appearance of .
Product Settings Settings for the product that apply to your deployment, such as clickable URLs, aggregation, and workbooks.
Event Settings Settings to configure the organization, handling, and presentation.
User Management Settings related to user accounts, permissions, and authentication.
View how much data is ingested in using ingestion summary Information and reports for monitoring the activity of your deployment.
Apps and Assets How to add and configure apps and assets to provide actions in .
Telemetry Information about sharing data from .

Splunk Technical Support

Splunk Standard Support is included in every subscription. For details about the levels of technical support provided, read Support Programs. Only authorized support contacts from your company can open cases. Your Splunk support agreement specifies who your authorized contacts are. Your Support contract specifies a number of authorized contacts, and an expiration date. One of your contacts is a Support portal administrator, who can update the list. Only an authorized contact can open a case and track its status. An authorized contact can file a case by logging in to splunk.com, then navigating to the Support Portal.

Splunk Support portal

Designated users can manage operational contacts for their account and file support cases using the Support portal. Operational contacts are the people in your organization who are notified when their environment undergoes maintenance or experiences an event that affects performance.

To manage operational contacts:

  1. Go to My Operational Contacts in the Support portal.
  2. Follow the instructions on the page to add, edit, and remove operational contacts for your environment.

To file a case on the Support portal:

  1. From the Splunk installation is? dropdown, select the state of your deployment.
  2. In Subject, summarize your issue. Splunk Support sees the first 250 characters in this field.
  3. In What Product are you having trouble with? select .
  4. In What OS are you using? select Linux.
  5. Leave What OS Version are you using? blank.
  6. In I need help with... select a category that applies to your issue.
  7. In What is the impact... explain briefly how this issue disrupts your work.
  8. In the Problem Description, be thorough. For issues (as opposed to enhancement requests), include the exact time of the issue and its duration, the type of Splunk instance experiencing the issue (for example, forwarder, search head, or indexers), and any relevant screen shots.
  9. Include Steps to reproduce if you've found a specific scenario that triggers the issue.
  10. Click Submit. The portal directs you to a screen with a case number and sends you an email containing the case number.

Splunk Support replies to the case creator by email. You can update the case by replying to the email (be sure to keep the tracking ID in the email subject line). You can also update the case, check on its status, or close a case using the support portal.

Splunk community

The Splunk user community is a great resource. Check out Splunk Answers, where you can ask and answer questions about the product. There are also a number of other ways to get involved in the Splunk community, such as user groups or the Splunk Trust. For more information about getting involved with the Splunk community, see the Community portal.

See also

Last modified on 31 July, 2023
  Take a tour of and perform product onboarding when you log in for the first time

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters