Skip to main content
Splunk® SOAR (On-premises)

Use Splunk SOAR (On-premises)

Splunk® SOAR (On-premises)
6.1.1
As of version 6.4.0, the visual editor for classic playbooks is no longer part of Splunk SOAR. Before upgrading, convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Search within Splunk SOAR (On-premises)

Splunk SOAR (On-premises) includes an embedded copy of Splunk Enterprise for searching data in Splunk SOAR (On-premises).

You can also configure search using an external Splunk Enterprise instance, or distributed Splunk Enterprise deployment. For more information, see Configure search in Splunk SOAR (On-premises) in the Administer Splunk SOAR (On-premises) manual.

Searching in Splunk SOAR (On-premises)

There is a search box in the upper left of every Splunk SOAR (On-premises) screen. Most screens also have a section specific search box below the menu bar. Section specific search boxes display text indicating what it will search. For example, on the Indicators screen, the section specific search box contains "Search indicator values".

For non section specific searches, when you enter a search term, it appears as part of the URL in the address bar, so you can create a bookmark.

For example: 

https://<Splunk SOAR URL>/search?query=events

Search results can vary as changes in Splunk SOAR (On-premises) occur between visits to the search page.

Initial search results are returned without filters applied. The search results page has a row of checkboxes for the following predefined filters; Containers, Artifacts, Actions, Assets, Apps, or Other to narrow your search results. Click the checkbox next the the filter you want to apply.

Search results are displayed in groups of 10 results per page. Use the menu in the bottom center of the search results page to view a up to a maximum of 100 results per page.

The search directives in Splunk SOAR (On-premises) are limited to a subset of the Splunk Processing Language (SPL). If you're using an external Splunk Enterprise instance as your Splunk SOAR (On-premises) search engine, you can use all of the Splunk Enterprise features through the interface on that instance. For more information, see Understanding SPL syntax in the Splunk Enterprise Search Reference manual.

Available search operators in Splunk SOAR (On-premises) are:

  • Boolean operators; AND, OR, and NOT. The NOT operator excludes an entire object from appearing in the search results, even if other terms within that object match.
  • Parentheses to group terms into more complex boolean searches.
  • Quotation marks to search for exact phrases.
  • The wildcard character '*'.

Searching with multiple words creates an implied ALL condition. For example, the term data path returns results containing both data and path. Use OR to find results containing either data or path.

Search examples

Search for the exact phase "data path": 

"data path"

Search for objects that contain both "data" and "path": 

data AND path

Search for any objects that contain a match for "dat": 

dat*
Last modified on 28 November, 2023
Create, sort, and filter notes in Splunk SOAR (On-premises)   View the list of configured playbooks in Splunk SOAR (On-premises)

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters