Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Configure search in

In earlier releases of search was handled by an embedded version of Splunk Enterprise. Beginning with release 6.2.0, uses PostgreSQL full-text search, which has been modified to accept the * wildcard. For search syntax and examples, see Search within .

To improve the ability to get data into a Splunk Cloud Platform or Splunk Enterprise deployment, support was added for Universal Forwarders. For information about configuring forwarders, see Configure forwarders to send SOAR data to your Splunk deployment.

also supports using an Elasticsearch instance for indexing SOAR data.

This list summarizes the available options for configuring forwarding data to a Splunk Enterprise or Splunk Cloud Platform instance from .

  • Splunk Cloud Platform - by configuring a Universal Forwarder Credentials Package and Universal Forwarders
  • Splunk Enterprise - by configuring Universal forwarders
  • Elasticsearch - by configuring a forwarder

Configure to forward data to Splunk Cloud Platform

Integrating with Splunk Cloud Platform requires the following actions:

Configure to forward data to Splunk Enterprise

Integrating with Splunk Enterprise requires the following actions:

Configure to send data to an Elasticsearch instance

When you configure to use an external instance of Elasticsearch, a copy of all indexed and searchable data is sent to the Elasticsearch instance.

Configure the scope of global search using the REST API

You can control the scope used by global search in , using the /rest/feature_flag/restrict_global_search REST API endpoint. See /rest/feature_flag/<feature_flag_name> for details of the /rest/feature_flag REST API, the parameters it accepts, and examples for changing settings using the endpoint.

In the interest of performance, restrict_global_search defaults to "on" and has the following settings applied:

  • Searching the database tables app_run, action_run, and playbook_run are turned off.
  • The maximum age of database table entries will be searched is 30 days.
Last modified on 02 April, 2024
Customize email templates in   Configure forwarders to send SOAR data to your Splunk deployment

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.2.1, 6.2.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters