Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Filter indicator records in

When you first install , industry-standard indicator records are generated for events coming in. This can result in the generation of a large volume of indicator records many of which might not be necessary for your system.

Default filtering

As of release 6.0.0: To reduce the number of indicator records, only generates records that are associated with default and custom fields that are present in your indicator list, located under Administration > Event Settings > Indicators. Any records associated with fields that are not present in your indicator list are automatically deleted.

Create a filter

To filter out certain indicators, follow these steps:

  1. From the Home menu, select Administration.
  2. Select Event Settings > Indicators.
  3. To filter out certain indicator records, uncheck the box by the field name of the record you don't want to generate indicators for. If you have created any custom CEF fields, by default those fields don't have indicator records. If you want to create indicators for these fields, make sure to check the box next to the field name.
  4. After you have made any changes, click Save Changes.
  5. (Optional) To sort by data type, click Data Type and choose how you would like to sort the fields. You can also search for indicators by data type in the search bar to add them to the filter.
  6. (Optional) Click Field Type to sort the fields based on default or custom fields.
  7. (Optional) Use the search bar to search for specific fields.
  8. (Optional) Use the Total Count column to see the number of each type of indicator record across the system.

This filter applies only to events coming in after the filter is set and does not apply to indicator records that were previously created.

Last modified on 26 April, 2023
Create custom fields to filter events   Track information about an event or case using HUD cards

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters