Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Create custom status labels in

You can create additional status labels for the events and cases in as needed for your business processes.

Statuses are grouped into three categories: New, Open, and Resolved. You can create up to 10 total status labels in .

Status label rules

Status labels must adhere to the following rules:

  • At least one status label must exist for each of the status categories.
  • Only ASCII characters a-z, 0-9, dash ( - ), or underscores ( _ ) are allowed.
  • The name cannot exceed 128 characters in length.
  • The labels New, Open, and Closed are available upon upgrade. These three labels can be deleted, removing them from the active list. These labels cannot be renamed because they are required for backwards compatibility with apps and playbooks.

To maintain backwards compatibility with apps and existing playbooks, if the status labels New, Open, or Closed have been deleted, ingestion apps and the REST API can still assign the statuses New, Open, and Closed to containers.

Create a status label in

To create a status label, follow these steps:

  1. From the Home menu, select Administration.
  2. Select Event Settings > Status.
  3. Click Add Item in the status category where you want to create the new status label.
  4. Type the new status name. The status label name must adhere to the status label rules described earlier.
  5. Click Add Item.

To reorder status labels, drag the handle ( ☰ ) on the left side of the status label's input box to the desired position.

To delete a status label, click the circled x ( ⓧ ) to the right of the status label's input box.

To set the status label used as the default label for that status type, select the desired label from the drop-down list in the Default status field.

Last modified on 18 May, 2023
Use data retention strategies to schedule and manage your database cleanup   Create custom severity names

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters