Install the Splunk App for SOAR Export on Splunk Enterprise

Install the Splunk App for SOAR Export on a single search head, search head cluster environment, or distributed Splunk Enterprise deployment.

Install the Splunk App for SOAR Export on a single search head

To install the Splunk App for SOAR Export on a single search head, follow these steps:

  1. Download Splunk App for SOAR Export from Splunkbase.
  2. Log into your Splunk platform instance.
  3. In the apps panel, click the gear icon.
  4. Click Install app from file.
  5. Upload the Splunk App for SOAR Export file you downloaded earlier in this procedure.
  6. Confirm that you want to restart Splunk Enterprise to complete the installation.

Note: You can also search for and download the Splunk App for SOAR Export within Splunk Enterprise.

Install the Splunk App for SOAR Export in a search head cluster

Use a deployer to install the Splunk App for SOAR Export in a search head cluster environment. See Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.

Splunk App for SOAR Export includes a server.conf file that allows configuration changes to be replicated within the search head cluster.

Configuration file location:
$SPLUNK_HOME/etc/apps/phantom/default/server.conf
Relevant configuration: 

[shclustering]
conf_replication_include.phantom = true

Install the Splunk App for SOAR Export in a distributed Splunk Enterprise environment

Use the tables below to determine where and how to install the Splunk App for SOAR Export in a distributed Splunk Enterprise deployment.

Where to install the app in a distributed deployment

Use the table to determine where to install the Splunk App for SOAR Export in a distributed Splunk Enterprise deployment.

Splunk instance type Install the add-on here? Comments
Search Heads Yes Install this add-on on the search head.
Indexers Yes The add-on uses the cim_modactions index for alert and adaptive response actions.
Forwarders No The add-on does not contain inputs for forwarder data collection.

Distributed deployment compatibility

Use the table to check the compatibility of the Splunk App for SOAR Export with Splunk Enterprise distributed deployment features.

Distributed deployment feature Supported Comments
Search Head Clusters Yes Use the search head cluster deployer to distribute the add-on across search head cluster members. See Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.
Indexer Clusters Yes The add-on uses the cim_modactions index for alert and adaptive response actions.
Deployment Server No The add-on does not contain inputs for forwarder data collection.