Skip to main content
Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

Splunk® SOAR (On-premises)
6.2.1
The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Share data from Splunk SOAR (On-premises)

When Splunk SOAR (On-premises) is deployed, the platform sends usage data to Splunk Inc. ("Splunk") to provide, support, and optimize your deployment and to help improve Splunk SOAR (On-premises) in future releases.

Opt in or opt out of sharing Usage Data

You can change data sharing settings anytime using either the user interface or the command line interface.

Use the Splunk SOAR (On-premises) interface

Modify general Usage Data share settings in the graphical user interface following these steps:

  1. From the main menu, select Administration.
  2. Expand the Product Settings drop-down list.
  3. Select Data Sharing.
  4. Adjust Usage Data category toggles to the On (opt in) or Off (opt out) position.

Use the command line interface

Modify Rum and FullStory Usage Data share settings using the command line interface and the following management commands:

For Splunk RUM telemetry:

phenv set_preference --rum [{yes,no}]

Use yes to opt in, no to opt out.

For FullStory telemetry:

phenv python -m manage fullstory

How data is collected

Splunk SOAR (On-premises) uses several technologies running in the background to collect usage data.

  • Splunk Web Analytics (swa.js)
  • Splunk Real User Monitoring (RUM)
  • FullStory

Usage Data Telemetry

A Splunk SOAR (On-premises) background task runs at a specified system time to collect telemetry data which is transmitted to Splunk's products-telemetry server.

Each time a user logs in some system settings and license metrics are collected.

FullStory is used to collect experiential user journey information from the Visual Playbook Editor with user personally identifiable information redacted. In the Splunk SOAR (On-premises) interface, FullStory data collection can either be managed from the graphical interface by switching the main Telemetry Usage Data toggle on or off, or alternatively, by discrete command using the command line interface, as described earlier in this article.

For information about the Visual Playbook Editor see Use playbooks to automate analyst workflows in Splunk SOAR (On-premises) in Build Playbooks with the Playbook Editor.

RUM Telemetry

Splunk Real User Monitoring (RUM) connects to a non-PCI-compliant system.

RUM is designed to collect and send information like console errors, JavaScript errors, and page load performance metrics without user-provided values, such as username or email, or any URI or URL parameters that personally identify individual users. See What is Splunk RUM? for more information.

How data is stored

Splunk's retention timeframes for Usage Data are described here and those for Splunk Rum are described here. For more information about Splunk's data collection and privacy practices see the Splunk Privacy Policy and learn how Splunk Protects.

Telemetry impacts on performance

Collecting telemetry data minimally affects database performance and the loading of the Splunk SOAR (On-premises) UI.

General Usage Data

Splunk SOAR (On-premises) telemetry collects the following basic usage information:

Name Description Example
Items in this section apply to all telemetry objects

app.session.phantom.*

app.session.soar.*

automation.*

automation.summary.*

orchestration.*

Either:
  • companyID: Splunk SOAR (On-premises), a SHA256 has of the company name as listed in the license, or
  • stackID: Splunk SOAR (Cloud), a SHA256 hash of the stack name

And:

  • licenseNumber: the license key that was issued to your deployment.
  • licenseIssueDate: the date the license was issued.
  • licenseExpirationDate: the date the license will expire.
  • licenseInstance: Internal Salesforce ticket number to issue the license.

Splunk SOAR sends the deploymentID with every event. This change adds either companyID or stackID and licenseNumber, licenseIssueDate, licenseExpirationDate, and licenseInstance wherever deploymentID is currently logged.

{
  "data": {
 ...
  "licenseNumber": "0ffff-ffff-fff-fff-ffffff",
  "licenseIssueDate": "2024-12-22",
  "licenseExpirationDate": "2024-12-22",
  "licenseInstance": "12304",
  },
  "timestamp": 1684779074013,
  "component": "app.session.soar.systemSettings",
  "deploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc",
  "companyID": "f3f5d1d9aba493153151e468915ca995a3355692da5ddc823e42044333a9deff",
  "eventID": "a74fd484-8d28-c0e8-c5bf-0b9ebf130665",
  "experienceID": "0b64f885-637b-9d67-289a-b4d4925e17fe"
}
{
  "data": {
 ...
  "licenseNumber": "0ffff-ffff-fff-fff-ffffff",
  "licenseIssueDate": "2024-12-22",
  "licenseExpirationDate": "2024-12-22",
  "licenseInstance": "12304",
  },
  "timestamp": 1684779074013,
  "component": "app.session.soar.systemSettings",
  "deploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc",
  "companyID": "f3f5d1d9aba493153151e468915ca995a3355692da5ddc823e42044333a9deff",
  "eventID": "a74fd484-8d28-c0e8-c5bf-0b9ebf130665",
  "experienceID": "0b64f885-637b-9d67-289a-b4d4925e17fe"
}

Or

{
  "data": {
 ...
  "licenseNumber": "0ffff-ffff-fff-fff-ffffff",
  "licenseIssueDate": "2024-12-22",
  "licenseExpirationDate": "2024-12-22",
  "licenseInstance": "12304",
  },
  "timestamp": 1684779074013,
  "component": "app.session.soar.systemSettings",
  "deploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc",
  "stackID": "f3f5d1d9aba493153151e468915ca995a3355692da5ddc823e42044333a9deff",
  "eventID": "a74fd484-8d28-c0e8-c5bf-0b9ebf130665",
  "experienceID": "0b64f885-637b-9d67-289a-b4d4925e17fe"
}
app.session. objects
app.session.soar.apiTime

app.session.phantom.apiTime

Reports roundtrip time consumption for each API request.
data: {
    app: soar
    endpoint: /rest/ph_user/3/permissions
    method: get
    page: UNKNOWN_PAGE
    status: 200
    time: 150
    soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
    soarUserID: 5d900c28b8d1555745c09908ef386860
}
deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: 551e5c46-4f71-d92a-51ba-30cf97ae3a97
experienceID: 6c2c534b-e750-e1a0-95fd-fcada1a50be0
optInRequired: 3
timestamp: 1574213030362
visibility: anonymous
data: {
    app: phantom
    endpoint: /rest/ph_user/3/permissions
    method: get
    page: UNKNOWN_PAGE
    status: 200
    time: 150
    phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
    phantomUserID: 5d900c28b8d1555745c09908ef386860
}
deploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: 551e5c46-4f71-d92a-51ba-30cf97ae3a97
experienceID: 6c2c534b-e750-e1a0-95fd-fcada1a50be0
optInRequired: 3
timestamp: 1574213030362
visibility: anonymous
app.session.soar.error Reports uncaught errors of front-end Splunk SOAR scripts.
data: {
   app: soar
   errorMsg: Uncaught ReferenceError: helloworld is not defined
   file: /inc/swa/swa_enabled.js
   page: admin.product_settings.telemetry
   position: 74:1
   soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
   soarUserID: 5d900c28b8d1555745c09908ef386860
}
deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: 94efce66-ab89-33ae-f894-1cceb8f68f78
experienceID: 239facf6-261d-dd96-be08-33870c7d3750
optInRequired: 3
timestamp: 1574294947704
visibility: anonymous
app.session.soar.license

app.session.phantom.license

Reports license status, limits, and usage information. Sent once per session.
  • usage: Usage metrics of user activeUsersCount, a count of users who logged in in the past day.
  • app: "soar"
  • page: UNKNOWN_PAGE
    (this item is not being tracked)
  • type: Type of license (standard, community, dev)
  • issueDate: timestamp when license issued
  • expirationDate: timestamp when license is due to expire
  • limits: Maximum usage allowed with the current license
  • limit.apps: the maximum number of apps the deployment can have, as set by your license.
  • limit.assets: the maximum number of assets the deployment can has, as set by your license.
{
  'type': 'standard',
  'issueDate': 1616371200.0,
  'expirationDate': 4769971200.0,
  'companyName':
  'limits': {
    'actions': 'unlimited', (NEW)
    'apps': 'unlimited',
    'assets': 'unlimited', (NEW)
    'events': 'unlimited',
    'users': 'unlimited',
    'tenants': 1,
    'seats': 'unlimited'
  },
  'productVersion': '10155.0.0.124976',
  'usage': {
    'recentAppRunCount': 0,
    'recentPlaybookRunCount': 0,
    'recentDebugRunCount': 0,
    'seatCount': 1,
    'activeUsersCount': 2,
  }
}
app.session.soar.pageview

app.session.phantom.pageview

Reports which pages are visited by users.
data: {
   app: soar
   page: admin.company_settings.info
   soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
   soarUserID: 5d900c28b8d1555745c09908ef386860
}
deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: 0db11144-7c14-88f7-b3e9-3a999102bfc6
experienceID: 20d4d671-7d18-f74a-c72f-9811b5bee20d
optInRequired: 3
timestamp: 1574210581565
visibility: anonymous
{
data: {
   app: phantom
   page: admin.company_settings.info
   phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
   phantomUserID: 5d900c28b8d1555745c09908ef386860
  }
eventID: 0db11144-7c14-88f7-b3e9-3a999102bfc6
experienceID: 20d4d671-7d18-f74a-c72f-9811b5bee20d
optInRequired: 3
timestamp: 1574210581565
visibility: anonymous
}
app.session.soar.
systemSettings

app.session.phantom.
systemSettings

Reports the feature on/off settings and product version.
  • credentialManager: which credential manager is in use.
  • app: "phantom"
  • page: UNKNOWN_PAGE (This item is not being tracked)
  • isClusteringEnabled
  • isMultiTenantEnabled
  • numberofClusterNodes
  • productVersion: Version number of the Splunk SOAR or Splunk Phantom instance
{
  "optInRequired": 3,
  "original_timestamp": 1684779074013,
  "visibility": "anonymous",
  "data": {
    "cloudWorksEnvironment": "stg",
    "isClusteringEnabled": false,
    "numOfClusterNodes": 0,
    "isMultiTenantEnabled": false,
    "nodeGUID": "057f9e04-d54c-4ccc-9ffb-4aa82551b4d6",
    "page": "UNKNOWN_PAGE",
    "isElasticSearchEnabled": false,
    "credential_manager": "hashicorp",
    "splunkConfig": {
      "searchLocation": "local",
      "searchType": "standalone"
    },
    "app": "soar",
    "missionControlDeploymentID": null,
    "soarDeploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc",
    "license": "standard",
    "soarUserID": <br/>"5ebe9df18591550e99cd82079e8448a1c14582f0c04cfd84eaa3a254cae8675cc1eb2097c47dcc99c184481d89949492c4b700918c1e20f909f1bc5f4ea400c6",
    "productVersion": "10155.0.0.124976"
  },
  "timestamp": 1684779074013,
  "component": "app.session.soar.systemSettings",
  "deploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc",
  "eventID": "a74fd484-8d28-c0e8-c5bf-0b9ebf130665",
  "experienceID": "0b64f885-637b-9d67-289a-b4d4925e17fe"
}
app.session.session_start Reports the browser and OS, along with their versions.
{
data: {
    app: UNKNOWN_APP
    browser: Chrome
    browserVersion: 78.0.3904.97
    device: MacIntel
    locale: en-US
    os: Mac OS X
    osVersion: 10.
    page: UNKNOWN_PAGE
    splunkVersion: not available
  }
eventID: d9ca862c-d48d-83a1-d1bb-f0f25f4b5af8
experienceID: 6c2c534b-e750-e1a0-95fd-fcada1a50be0
optInRequired: 3
timestamp: 1574213029
visibility: anonymous
}
app.session.phantom.viewTime Reports time spent on a specific page. Only tracked for specific pages.
{
  data: {
   app: phantom
   page: reports
   viewTime: 10223
   phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
   phantomUserID: 5d900c28b8d1555745c09908ef386860
  }
  eventID: 545fdcfb-ac0d-a11b-da6a-4b9da84b6c2a
  experienceID: 85b49544-fb90-a2ef-1b3f-e09339f3abc1
  optInRequired: 3
  timestamp: 1573690198763
  visibility: anonymous
}
app.session.soar.vpe

app.session.phantom.vpe

Reports:
  • VPE version (Classic or Modern)
  • The types of blocks in a playbook
  • The number of blocks in a playbook
  • Which hotkey shortcuts were used while editing a playbook
  • Specific Splunk SOAR features used in a playbook

The classic playbook editor will be deprecated soon, in 2024. For information on converting your playbooks, see Convert classic playbooks to modern playbooks.

component: app.session.soar.vpe
data: {
   app: soar
   jsonSchemaVersion:"5.0.3"
   page: UNKNOWN_PAGE
   blocks: {
     totalCount: 14
     blockTypes: {
       action: 2
       playbook: 1
       code: 1
       utility: 1
       filter: 1
       decision: 1
       format: 6
       prompt: 1
     }
     customCodeBlockCount: 3
     customCodeBlockTypeCounts: {
       start: 0
       end: 1
       action: 2
       playbook: 0
       code: 0
       utility: 0
       filter: 0
       decision: 0
       format: 0
       prompt: 0
     }
     actions: ["geolocate ip", "whois domain"]
   }
   hotkeys: {
     totalCount: 14
     interactions: {
       addMiniMenu: 7
       addActionBlock: 6
       addPlaybookBlock: 0
       addCodeBlock: 0
       addUtilityBlock: 0
       addFilterBlock: 0
       addDecisionBlock: 0
       addFormatBlock: 1
       addPromptBlock: 0
       autoArrange: 1
       zoomToFit: 1
       zoomIn: 0
       zoomOut: 0
       savePlaybook: 1
       deleteNode: 0
       toggleEditor: 1
       toggleDebugger: 1
       toggleSettings: 1
       showShortcutModal: 1
     }
   }
   features: {
     customConditionLabel: 3
     customDatapaths: 2
     playbookInputs: {
       count: 0
       dataTypes: {
         "domain": 0
         "file id": 0
         "file name": 0
         "file path": 0
         "hash": 0
         "host name": 0
         "ip": 0
         "mac address": 0
         "port": 0
         "process name": 0
         "url": 0
         "user name": 0
       }
     }
     playbookOutputs: {
       count: 1
       dataTypes: {
         "domain": 1
         "file id": 0
         "file name": 0
         "file path": 0
         "hash": 0
         "host name": 0
         "ip": 0
         "mac address": 0
         "port": 0
         "process name": 0
         "url": 0
         "user name": 0
       }
       dedupeCount: 0
     }
   }
   playbookType: automation
   playbookName: 5d900c28b8d1555745c09908ef133337
   soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
   soarUserID: 5d900c28b8d1555745c09908ef386860
}
deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9
experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830
optInRequired: 3
timestamp: 1576695256840
visibility: anonymous
{
data: {
   app: soar
   jsonSchemaVersion:"5.0.3"
   page: UNKNOWN_PAGE
   blocks: {
     totalCount: 14
     blockTypes: {
       action: 2
       playbook: 1
       code: 1
       utility: 1
       filter: 1
       decision: 1
       format: 6
       prompt: 1
     }
     customCodeBlockCount: 3
     customCodeBlockTypeCounts: {
       start: 0
       end: 1
       action: 2
       playbook: 0
       code: 0
       utility: 0
       filter: 0
       decision: 0
       format: 0
       prompt: 0
     }
     actions: ["geolocate ip", "whois domain"]
   }
   hotkeys: {
     totalCount: 14
     interactions: {
       addMiniMenu: 7
       addActionBlock: 6
       addPlaybookBlock: 0
       addCodeBlock: 0
       addUtilityBlock: 0
       addFilterBlock: 0
       addDecisionBlock: 0
       addFormatBlock: 1
       addPromptBlock: 0
       autoArrange: 1
       zoomToFit: 1
       zoomIn: 0
       zoomOut: 0
       savePlaybook: 1
       deleteNode: 0
       toggleEditor: 1
       toggleDebugger: 1
       toggleSettings: 1
       showShortcutModal: 1
     }
       }
       features: {
     customConditionLabel: 3
     customDatapaths: 2
     playbookInputs: {
       count: 0
       dataTypes: {
         "domain": 0
         "file id": 0
         "file name": 0
         "file path": 0
         "hash": 0
         "host name": 0
         "ip": 0
         "mac address": 0
         "port": 0
         "process name": 0
         "url": 0
         "user name": 0
       }
     }
     playbookOutputs: {
       count: 1
       dataTypes: {
         "domain": 1
         "file id": 0
         "file name": 0
         "file path": 0
         "hash": 0
         "host name": 0
         "ip": 0
         "mac address": 0
         "port": 0
         "process name": 0
         "url": 0
         "user name": 0
       }
       dedupeCount: 0
     }
       }
       playbookType: automation
       playbookName: 5d900c28b8d1555745c09908ef133337
       soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
       soarUserID: 5d900c28b8d1555745c09908ef386860
     }
     deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
     eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9
     experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830
     optInRequired: 3
     timestamp: 1576695256840
     visibility: anonymous
}
app.session.soar.vpeTime

app.session.phantom.vpeTime

Reports the time in milliseconds it took for the VPE to load in the browser.
	component: app.session.soar.vpeTime
data: {
   app: soar
   pageLoadTime: 10298
}
deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9
experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830
optInRequired: 3
timestamp: 1576695256840
visibility: anonymous
{  
data: {
   app: soar
   pageLoadTime: 10298
  }
 deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
 eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9
 experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830
 optInRequired: 3
 timestamp: 1576695256840
 visibility: anonymous
}
automation.summary objects
automation.summary.app_summary A summary of apps installed on the system.
  • app_name: The human-readable name of the app.
  • description: A description of what the app does.
  • version: The version number of the app.
  • product_name: The product name of the app.
  • product_vendor: The product vendor of the app.
{
  'type': 'event',
  'component': 'automation.summary.app_summary',
  'data': {
'app_name': 'MaxMind',
'description': 'This app provides IP geolocation with the included MaxMind database',
'version': '2.2.5',
'product_name': 'GeoIP2',
'product_vendor': 'MaxMind',
'soarDeploymentID': 'soar-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
'license': 'community',
'productVersion': '6.1.0.58',
'missionControlDeploymentID': None,
'cloudWorksEnvironment': 'dev'
  },
  'deploymentID': 'soar-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
  'optInRequired': 3,
  'version': None,
  'timestamp': 1685128654000,
  'visibility': [
'anonymous'
  ]
}
automation.summary.
case_summary
A summary of opened and closed cases in the last 24 hours.
  • opened: The number of created cases in the last 24 hours.
  • closed: The number of cases closed in the last 24 hours.
  • promoted: The number of items promoted to a case in the last 24 hours.
{
  'type': 'aggregate',
  'component': 'automation.summary.case_summary',
  'data': {
'opened': 120,
'closed': 87,
'promoted': 12,
'phantomDeploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
'license': 'community',
'productVersion': '6.1.0.58',
'missionControlDeploymentID': None
  },
  'deploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
  'optInRequired': 3,
  'version': None,
  'timestamp': 1685658250000,
  'visibility': [
'anonymous'
  ],
  'indexData': True,
  'begin': 1685491200000,
  'end': 1685577599000
}
automation.summary.
ingestion_status
Ingestion status and events ingested per Splunk SOAR deployment.
  • adhoc: Counts of adhoc ingestion runs by status
  • automated: Counts of automated ingestion runs by status
  • all: Counts of both ingestion runs by status
    • Succesful
    • Failed
    • Running
    • Total
  • event_ingested_count: Count of events ingested over the past day
{
  'type': 'aggregate',
  'component': 'automation.summary.ingestion_status',
  'data': {
'adhoc': None,
'automated': None,
'all': {
  'total': 1,
  'success': 1,
  'failed': 0,
  'running': 0
},
'event_ingested_count': 1,
'soarDeploymentID': 'soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc',
'license': 'standard',
'productVersion': '10155.0.0.124976',
'missionControlDeploymentID': None,
'cloudWorksEnvironment': 'stg'
  },
  'deploymentID': 'soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc',
  'optInRequired': 3,
  'version': None,
  'timestamp': 1684358758000,
  'visibility': [
'anonymous'
  ],
  'indexData': True,
  'begin': 1684281600000,
  'end': 1684367999000
} 
automation.summary.
playbook_names
A summary of playbooks names and whether or not a playbook is custom.
  • community: The list of playbook names that are community playbooks that were updated over the last day.
  • custom: The list of playbooks that are custom made by the end user that were updated over the last day.
  • custom_count: A count of playbooks that are custom made by the end user that were updated over the last day.
  • community_count: A count of playbooks that are community playbooks that were updated over the last day.
{
  'type': 'aggregate',
  'component': 'automation.summary.playbook_names',
  'data': {
    'community': [
      'AD_LDAP_Entity_Attribute_Lookup',
      'wannacry_prevent',
      'wannacry_remediate',
      'zscaler_hunt_and_block_url',
      'zscaler_malicious_file_response',
      'zscaler_patient_0_parse_email'
    ],
    'community_count': 136,
    'custom': [
      'testa1'
    ],
    'custom_count': 1,
    'phantomDeploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
    'license': 'community',
    'productVersion': '6.1.0.58',
    'missionControlDeploymentID': None
  },
  'deploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
  'optInRequired': 3,
  'version': None,
  'timestamp': 1685658250000,
  'visibility': [
    'anonymous'
  ],
  'indexData': True,
  'begin': 1685491200000,
  'end': 1685577599000
}
automation.summary.
playbook_runs.by_trigger
Counts of playbook runs by trigger, either adhoc or by automation, aggregated over the last day. Emitted once daily.
begin: 1663891200000
   component: automation.summary.playbook_runs.by_trigger
   data: { 
     adhoc: { 
       failed: 0
       running: 0
       success: 2
       total: 2
     }
     all: { 
       failed: 0
       running: 0
       success: 2
       total: 2
     }
     automated: { 
       failed: 0
       running: 0
       success: 0
       total: 0
     }
     cloudWorksEnvironment: dev
     missionControlDeploymentID: 917660C8-50E1-407B-86C5-D5061176245C
     soarDeploymentID: soar-cd07b53e-125e-4d27-adf7-2dba77b9fa81

     productVersion: 10155.0.0.98349
     license: standard
   }
   deploymentID: soar-cd07b53e-125e-4d27-adf7-2dba77b9fa81
   end: 1663977599000
   indexData: true
   optInRequired: 3
   timestamp: 1663977609000
   type: aggregate
visibility: [ 
     anonymous
   ]
}
automation.summary.
publish_telemetry_time_taken
Start time, end time, and a the calculated total time of the telemetry publish job.
  • start_time: start time of the publish job
  • end_time: end time of the publish job
  • total_time: total time of the job
    (calculated by taking end_time then subtracting start_time)
{
  'type': 'event',
  'component': 'automation.summary.publish_telemetry_time_taken',
  'data': {
'start_time': 28244.781,
'end_time': 28244.812,
'total_time': 0.031,
'soarDeploymentID': 'soar-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
'license': 'community',
'productVersion': '6.1.0.58',
'missionControlDeploymentID': None,
'cloudWorksEnvironment': 'dev'
  },
  'deploymentID': 'soar-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
  'optInRequired': 3,
  'version': None,
  'timestamp': 1685128654000,
  'visibility': [
'anonymous'
  ],
  'indexData': True,
  'begin': None,
  'end': None
}
automation.summary.
workbook_summary
A summary of opened and closed workbooks.
  • opened: statistics for workbook tasks and phases created in the last 24 hours.
    • unique_containers
    • total_tasks
    • total_phases
  • started: statistics for workbook tasks and phases started in the last 24 hours.
    • unique_containers
    • total_tasks
    • total_phases
  • closed: statistics for workbook tasks and phases closed in the last 24 hours.
    • unique_containers
    • total_tasks
    • total_phases
{
  'type': 'aggregate',
  'component': 'automation.summary.case_summary',
  'data': {
'opened': {
'unique_containers': 3,
'total_tasks': 15,
'total_phases': 45,
},
'started': {
    'unique_containers': 2,
    'total_tasks': 2,
    'total_phases': 4,
},
'closed': {
    'unique_containers': 2,
    'total_tasks': 4,
    'total_phases': 12,
},
'phantomDeploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
'license': 'community',
'productVersion': '6.1.0.58',
'missionControlDeploymentID': None
  },
  'deploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
  'optInRequired': 3,
  'version': None,
  'timestamp': 1685658250000,
  'visibility': [
'anonymous'
  ],
  'indexData': True,
  'begin': 1685491200000,
  'end': 1685577599000
}
orchestration. objects
orchestration.summary.
action_runs.by_trigger
Counts of action runs by trigger, either adhoc or by automation, aggregated over the last day. Emitted once daily.

adhoc: Counts of adhoc action runs by status

  • Succesful
  • Failed
  • Running
  • Pending
  • Total

automated: Counts of automated action runs by status

all: Counts of both adhoc and automated playbook runs by status

cloudWorksEnvironment: The environment in which the Splunk SOAR cloud stack is deployed; development (dev), staging (stg), or live (lve).

missionControlDeploymentID: A nullable field identifying the Splunk Mission Control instance paired to the Splunk SOAR instance

soarDeploymentID: Uniquely identifies the Splunk SOAR stack that emitted the metric

{
   begin: 1663891200000
   component: orchestration.summary.action_runs.by_trigger
   data: {
     adhoc: {
       failed: 0
       pending: 0
       running: 0
       success: 1
       total: 1
     }
     all: {
       failed: 5
       pending: 0
       running: 0
       success: 5
       total: 10
     }
     automated: {
       failed: 5
       pending: 0
       running: 0
       success: 4
       total: 9
     }
     cloudWorksEnvironment: dev
     missionControlDeploymentID: 917660C8-50E1-407B-86C5-D5061176245C
     soarDeploymentID: soar-cd07b53e-125e-4d27-adf7-2dba77b9fa81

     productVersion: 10155.0.0.98349
     license: standard
   }
   deploymentID: soar-cd07b53e-125e-4d27-adf7-2dba77b9fa81
   end: 1663977599000
   indexData: true
   optInRequired: 3
   timestamp: 1663977609000
   type: aggregate
   visibility: [ 
     anonymous
   ]
}
Last modified on 04 November, 2024
Assess app and asset connectivity and ingestion  

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters