Configure search in Splunk SOAR (On-premises)

In earlier releases of Splunk SOAR (On-premises) search was handled by an embedded version of Splunk Enterprise. Beginning with release 6.2.0, Splunk SOAR (On-premises) uses PostgreSQL full-text search, which has been modified to accept the * wildcard. For search syntax and examples, see Search within Splunk SOAR (On-premises).

To improve the ability to get Splunk SOAR (On-premises) data into a Splunk Cloud Platform or Splunk Enterprise deployment, support was added for Universal Forwarders. For information about configuring forwarders, see Configure forwarders to send SOAR data to your Splunk deployment.

Splunk SOAR (On-premises) also supports using an Elasticsearch instance for indexing SOAR data.

This list summarizes the available options for configuring forwarding data to a Splunk Enterprise or Splunk Cloud Platform instance from Splunk SOAR (On-premises).

Splunk Cloud Platform - by configuring a Universal Forwarder Credentials Package and Universal Forwarders
Splunk Enterprise - by configuring Universal forwarders
Elasticsearch - by configuring a forwarder

Configure Splunk SOAR (On-premises) to forward data to Splunk Cloud Platform

Integrating with Splunk Cloud Platform requires the following actions:

Configure Universal Forwarders and a Universal Forwarder Credentials Package. See Configure forwarders to send SOAR data to your Splunk deployment.

Configure Splunk SOAR (On-premises) to forward data to Splunk Enterprise

Integrating with Splunk Enterprise requires the following actions:

Configure Universal Forwarders. See Configure forwarders to send SOAR data to your Splunk deployment.

Configure Splunk SOAR (On-premises) to use an external Splunk Cloud Platform or Splunk Enterprise instance for search

This table summarizes the available options for configuring a Splunk Enterprise or Splunk Cloud Platform instance for search in Splunk SOAR (On-premises).

Note: Clustered deployments of Splunk SOAR require an external Splunk Enterprise, as either a single instance or a distributed deployment, or a Splunk Cloud Platform deployment.


Search Option	Description
Embedded Splunk Enterprise Instance	This is the default. No additional configuration is required.
External Standalone Splunk Enterprise Instance	Use this option to connect your Splunk SOAR (On-premises) instance or cluster to a single, external instance of Splunk Enterprise or Splunk Cloud Platform. This option requires the Splunk App for SOAR. See Check prerequisites for Splunk App for SOAR in the `Install and Configure Splunk App for SOAR` manual to verify version compatibility and requirements. See Set up remote search on a standalone Splunk Cloud Platform or Splunk Enterprise instance in the `Install and Configure Splunk App for SOAR` manual for instructions.
External Distributed Splunk Enterprise Instance	Use this option to connect your Splunk SOAR (On-premises) instance or cluster to a Splunk Enterprise or Splunk Cloud Platform deployment that contains one or more search heads, or one or more indexers with or without a search head cluster or indexer cluster. This option requires the Splunk App for SOAR. See Check prerequisites for Splunk App for SOAR in the `Install and Configure Splunk App for SOAR` manual to verify version compatibility and requirements. See Set up remote search on a distributed Splunk Cloud Platform or Splunk Enterprise instance in the `Install and Configure Splunk App for SOAR` manual for instructions.

Integrating with Splunk Cloud Platform requires the following additional information and actions:

You must use a public certificate from a verified or trusted certificate authority (CA).
You must contact Splunk Customer Support for assistance with Splunk Cloud Platform integration. You will need to provide the path to your certificate and your CA.
You must enable certificate verification on your Splunk SOAR (On-premises) assets.

Splunk SOAR (On-premises) also provides support for an external Elasticsearch instance for single-instance deployments of Splunk SOAR (On-premises). Clustered deployments of Splunk SOAR (On-premises) cannot use Elasticsearch as their search endpoint. See Configure Splunk SOAR (On-premises) to use an external Elasticsearch instance.

Configure Splunk SOAR (On-premises) to send data to an Elasticsearch instance

When you configure Splunk SOAR (On-premises) to use an external instance of Elasticsearch, a copy of all indexed and searchable data is sent to the Elasticsearch instance.

Configure Universal Forwarders. See Configure Splunk SOAR (On-premises) to forward information to ElasticSearch.

Configure the scope of global search using the REST API

You can control the scope used by global search in Splunk SOAR (On-premises), using the /rest/feature_flag/restrict_global_search REST API endpoint. See /rest/feature_flag/<feature_flag_name> for details of the /rest/feature_flag REST API, the parameters it accepts, and examples for changing settings using the endpoint.

In the interest of performance, restrict_global_search defaults to "on" and has the following settings applied:

Searching the database tables app_run, action_run, and playbook_run are turned off.
The maximum age of database table entries will be searched is 30 days.

Documentation