The following diagram represents a Splunk SOAR (On-premises) Single Server with External Services topology.

This deployment topology is implemented with a single Splunk SOAR (On-premises) node and leverages an external database. The external database is provided by shared corporate services that meet SOAR requirements.

The topology is suitable for one of the following situations:

• You do not have any requirements to provide high-availability or automatic disaster recovery for your Splunk SOAR (On-premises) deployment
• Your event ingestion is < 30,000 events per hour
• You have less than 50 users accessing Splunk SOAR (On-premises)
• You want to enhance resilience by distributing Splunk SOAR (On-premises) functions across multiple nodes

The primary benefits of this topology include the following:

• Simple administration, performance automation and orchestration, and a fixed total cost of ownership (TCO)
• Enhanced administration capabilities for customers with larger databases
• Greater resilience and data durability should the Splunk SOAR (On-premises) node fail

The primary limitations of this topology include the following:

• No High Availability for ingestion and automation
• Scalability limited by hardware capacity

When using the topology, you may find the following information helpful:

• This deployment must be scaled up to handle higher event rates
• Backups of the database are incumbent of the external database being used
• The external services and Splunk SOAR (On-premises) should have as minimal latency between them as possible
• For enhanced availability and resilience, consider utilizing cloud-native services for the database when implementing in cloud environments