Create custom status labels in Splunk SOAR (On-premises)

You can create additional status labels for the events and cases in Splunk SOAR (On-premises) as needed for your business processes.

Statuses are grouped into three categories: New, Open, and Resolved. You can create up to 30 total status labels in Splunk SOAR (On-premises).

Status label rules

Status labels must adhere to the following rules:

  • At least one status label must exist for each of the status categories.
  • Only ASCII characters a-z, 0-9, dash ( - ), or underscores ( _ ) are allowed.
  • The name cannot exceed 128 characters in length.
  • The labels New, Open, and Closed are available upon upgrade. These three labels can be deleted, removing them from the active list. These labels cannot be renamed because they are required for backwards compatibility with apps and playbooks.
Note: To maintain backwards compatibility with apps and existing playbooks, if the status labels New, Open, or Closed have been deleted, ingestion apps and the REST API can still assign the statuses New, Open, and Closed to containers.

Create a status label in Splunk SOAR (On-premises)

To create a status label, follow these steps:

  1. From the Home menu, select Administration.
  2. Select Event Settings > Status.
  3. Click Add Item in the status category where you want to create the new status label.
  4. Type the new status name. The status label name must adhere to the status label rules described earlier.
  5. Click Add Item.

To reorder status labels, drag the handle ( ☰ ) on the left side of the status label's input box to the desired position.

To delete a status label, click the circled x ( ⓧ ) to the right of the status label's input box.

To set the status label used as the default label for that status type, select the desired label from the drop-down list in the Default status field.