Skip to main content
Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

Splunk® SOAR (On-premises)
6.3.0
As of version 6.4.0, the visual editor for classic playbooks is no longer part of Splunk SOAR. Before upgrading, convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Monitor the health of your Splunk SOAR (On-premises) system

Use the System Health page to view a summary of your Splunk SOAR (On-premises) instance. The System Health page includes the following information:

  • Running status of Splunk SOAR (On-premises) processes
  • Resource consumption
  • Health and status of critical processes

Use the System Health page as a starting point to begin troubleshooting issues. Splunk support might ask for the results of this page to start a troubleshooting investigation.

Perform the following tasks to get to the System Health page:

  1. From the main menu, select Administration.
  2. Select System Health > System Health.

This screen image shows the System Health page. The main elements on the page are described in the text immediately following this image.

The following image shows the System Health page for a standalone, non-clustered Splunk SOAR (On-premises) instance. Additional selections such as a selector for individual nodes and ClusterD statistics are available on the System Health page in a clustered deployment. A clustered deployment doesn't have the Database Disk Space panel since the database in a cluster lives on a different host.

The top row of graphs shows you the status of the following system-wide resources:

  • Memory usage
  • Load average
  • Disk usage

Each row after the top row represents the individual system processes important to Splunk SOAR (On-premises). Verify that each process has a green Running status icon. Click Restart if you need to restart any one of the individual processes.

Splunk SOAR (On-premises) runs on top of Linux, so these graphs can be interpreted as you might on any Linux system. On a fairly idle Splunk SOAR (On-premises) system, there might be a significant amount of free memory, unused swap, and a lower load compared to the number of allocated CPU cores. There might also be more free disk space for the database and files.

The Splunk SOAR (On-premises) processing daemons IngestD, DecideD, WorkflowD, and ActionD perform various scheduling, decision, and management functions as well as critical background functions. All four must be running in order for Splunk SOAR (On-premises) to work properly. Splunk SOAR (On-premises) also relies on HTTPD and Postgres, which is the database.

If you registered a mobile device and Enable Mobile App is on, you can see the following behaviors in Splunk SOAR (On-premises):

  • The ProxyD daemon starts automatically. The WatchdogD daemon keeps track of the toggle switch position and adds or removes the ProxyD daemon from the system startup list depending on the status.
  • The System Health page also includes usage statistics for the ProxyD daemon. See Enable or disable registered mobile devices for information about the Enable Mobile App toggle.
Last modified on 31 January, 2025
Enable or disable registered mobile devices   View how much data is ingested in Splunk SOAR (On-premises) using ingestion summary

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters