Publisher: Splunk
Connector Version: 3.0.0
Product Vendor: Splunk Inc.
Product Name: Splunk Enterprise
Minimum Product Version: 7.0.0
This app integrates with Splunk to update data on the device, in addition to investigate and ingestion actions
-
This app also supports API token based authentication.
-
Please follow the steps mentioned in this documentation to generate an API token.
NOTE - If the username/password and API token are both provided then the API token will be given preference and a token-based authentication workflow will be used.
This app uses the Splunk-SDK module, which is licensed under the Apache Software License, Copyright (c) 2011-2024 Splunk, Inc.
Please check the permissions for the state file as mentioned below.
- For Non-NRI Instance: /opt/phantom/local_data/app_states/91883aa8-9c81-470b-97a1-5d8f7995f560/{asset_id}_state.json
- For NRI Instance: /phantomcyber/local_data/app_states/91883aa8-9c81-470b-97a1-5d8f7995f560/{asset_id}_state.json
- File Rights: rw-rw-r-- (664) (The Splunk SOAR user should have read and write access for the state file)
- File Owner: appropriate Splunk SOAR user
The endpoint used by the post data action is not supported on Splunk Cloud Platform. Hence, the following steps are not applicable for Splunk Cloud Platform.
For sending events to Splunk Platform, the User configured in the asset would require edit_tcp capability. Follow the below steps to configure
- Login to the Splunk Platform
- Go to Setting > Roles
- Click on role of the user configured in the asset(example: user) and go to Capabilities
- Search for 'edit_tcp' in the capabilities enable it for the particular role
- To check if the capability is given to your user, go to Settings > Users and in the Edit dropdown and select View Capabilities
- Search for 'edit_tcp' and if a tick besides it appears then the permission has been enabled for the user
- container_name_prefix:
-
Name to give containers created via ingestion
-
User can select a field name from the events data
- If the provided field exists, then container_name_prefix will be the value against the provided field from the events data
- If the provided field does not exist, then container_name_prefix will be the provided field name itself
-
If the container_name_prefix parameter is not provided:
- If the event data contains '_time' field, then container_name_prefix will be 'Splunk Log Entry on <value of the _time field>'
- If the event data does not contain '_time' field, then container_name_prefix will be 'Splunk Log Entry'
-
Users can provide a string. Example: Test title
-
- container_name_values:
-
Values to append to the container name created via ingestion
-
User can provide CIM fields
-
If the container_name_values parameter is provided:
- If the provided field exists, then container_name_values will be the value against the provided CIM field or its CIM field mapping from the events data
- If neither a CIM field mapping nor CIM field itself is present in the event data, then container_name_values will be the CIM field mapping or CIM field
-
If the container_name_values parameter is not provided:
- If 'container_name_prefix' parameter is not provided, then container_name_values will be 'source'
- If 'container_name_prefix' parameter is provided, then container_name_values will be empty
-
Users can provide a comma-separated string. Example: test1, test2
-
- Container count to update the state file:
- This parameter will allow the user to specify the number of containers and will only be used in scheduled or interval polling
- Everytime the count of the containers reaches the count provided by the user, the "start_time" stored in the state file will be updated by the index time of that event
- The default value is 100
- splunk_app:
- The app context of the namespace
- As per Splunk SDK's documentation, if the splunk_app parameter is not provided, then "system" will be considered as splunk_app
- splunk_owner:
- The owner context of the namespace
- As per Splunk SDK's documentation, if the splunk_owner parameter is not provided, then "nobody" will be considered as splunk_owner
- retry_count:
- Number of retries
- To ask a query to the Splunk server using the splunklib library, first, the query asked by the user is to be parsed. Then, this parsed query is used to create a job and once this job is ready the results are ready to be fetched. So while performing any of the above steps, if any exception occurs then, the code will retry that step for the number of retries provided in the "retry count" configuration parameter.
- It will also be used if an error or an exception occurs while posting the data in the "post data" action or modifying the event in the "update event" action.
- remove_empty_cef:
- Remove CEF fields having empty values from the artifact
- It allows the user to remove CEF fields having empty values from the artifact during ingestion. If the value of the parameter is 'true', CEF fields having empty values will be removed.
- sleeptime_in_requests:
- The time to wait for next REST call(max 120 seconds)
- It allows the user to add sleep time between the REST calls while performing the "run_query", "update_event", "get host events" and "on poll" action.
- splunk_job_timeout:
- The duration in seconds to wait before a scheduled Splunk job times out
- It allows the user to configure the duration after which the connector should consider the Splunk job as timed out.
- on_poll_display:
- Fields to save with On Poll
- Users can select the fields from the events which the user wants to ingest in the artifact
- If the on_poll_display parameter is not provided, then all the fields that are extracted from the events will be ingested in the respective artifacts
- Users can provide comma-separated field names. Example: field1, field2, field3
- If the on_poll_query(query to use with On Poll) parameter is not provided, then an error message will be returned
- If the on_poll_command(command for the query to use with On Poll) parameter is not provided and
the on_poll_query does not start with "|" or "search", then the "search" keyword is added at
the beginning of the on_poll_query
Example:
- on_poll_command: None on_poll_query: index = "main" Final query generated internally: search index = "main"
- If the on_poll_command parameter is not provided and the on_poll_query starts with "|" or
"search", then the final query would be the same as the query provided in the on_poll_query
parameter
Example:
- on_poll_command: None on_poll_query: search index = "main" Final query generated internally: search index = "main"
- If on_poll_command parameter is provided, then query is formed as: {on_poll_command}
{on_poll_query}
Example:
- on_poll_command: search on_poll_query: index = "main" Final query generated internally: search index = "main"
-
To execute this action successfully, the minimum role required is "ess_analyst", but the user can have other roles too.
-
If the wait_for_confirmation parameter is False (which is the default), it will be faster but there will be no confirmation that the notable ID corresponded with an actual notable event. Setting it to True will cause the action to take longer because it will require an SPL search, but it will provide more assurance that the update took place.
-
The action updates the event for the provided "event_id". If the wait_for_confirmation parameter is True, the action validates the "event_id" provided by the user using the search command: 'search `notable` | search event_id="<event_id>"'.
- If this search command returns more than 0 results, the action updates the event.
- If this search command does not return any results then, the action fails with the message "Please provide a valid event ID".
-
Use the integer status field to set custom status values (e.g., 1 for 'New', 2 for 'In Progress', etc.). Similarly, use the integer disposition field for custom disposition values (e.g., 0 for 'Undetermined').
-
This action allows executing arbitrary Splunk REST API calls using the asset's configured credentials and connection settings.
-
The endpoint parameter is appended to the base URL derived from the asset's device and port (e.g.,
https://<device>:<port>/). Do not include the base URL in the endpoint parameter. Example:services/search/jobs,services/server/info -
The verify_ssl parameter defaults to the asset's Verify Server Certificate setting if not explicitly provided.
-
Authentication uses the asset's API token (Bearer) or username/password, consistent with all other actions in this app.
-
There are two approaches to polling as mentioned below.
-
POLL NOW (Manual polling)
- It will fetch the data every time as per the corresponding asset configuration parameters. It doesn't store the last run context of the fetched data.
-
Scheduled/Interval Polling
- The ingestion action will be triggered after each specified time interval. It stores the last run context of the fetched data and starts fetching new data based on the combination of the values of stored context for the previous ingestion run and the corresponding asset configuration parameters.
-
-
Notes
- In case "on poll" returns any 4XX except 403, validate your search Query on Splunk
- Sample "Query" to use with On Poll: index="_internal" | stats count by host, source, sourcetype | head 5 | rename host as h0st | rename source as devicehostname
- Sample "Fields to save with On Poll" (if not provided, "on poll" will store all the fields): source,sourcetype,hostname
- For the on_poll_parse_only parameter, if True , disables the expansion of search due to evaluation of sub-searches, time term expansion, lookups, tags, eventtypes, and sourcetype aliases. This parameter is used for the validation of the Splunk query before fetching the results
- If multiple severities are returned for the incident in the "on poll" action, then the highest "severity" will be given priority. If the "severity" is not present in the incident, then the "urgency" of the incident will be considered. If the "urgency" is also not present, then the ingested container "severity" will be taken as "medium" by default.
-
Helpful examples to run on poll
- The query will fetch top 10 events from the result of index = "main" search.
- on_poll_command: "search"
- on_poll_query: index = "main" | head 10
- Final query generated internally: search index = "main" | head 10
- The query will execute the query saved in the savedsearch named "Dashboard Views - Action
History".
- on_poll_command: "savedsearch"
- on_poll_query: "Dashboard Views - Action History"
- Final query generated internally: savedsearch "Dashboard Views - Action History"
- The query will perform statistics for datamodel and will give total count of events fetched
for datamodel = authentication.
- on_poll_command: "tstats"
- on_poll_query: "count from datamodel=Authentication"
- Final query generated internally: "tstats count from datamodel=Authentication"
- The query will display field "a" in table format for the results fetched from 'search index
= "_internal"' search.
- on_poll_command: None
- on_poll_query: index = "_internal" | table a
- Final query generated internally: search index = "_internal" | table a
- This query will fetch all the events with sourcetype = "modular_alerts:notable",
app="phantom", and user="admin".
- on_poll_command: None
- on_poll_query: index=* sourcetype="modular_alerts:notable" app="phantom" user="admin"
- Final query generated internally: search index=* sourcetype="modular_alerts:notable" app="phantom" user="admin"
- This query will get the count of the events that are indexed in index named "main".
- on_poll_command: None
- on_poll_query: index="main" | stats count
- Final query generated internally: search index="main" | stats count
- This query will add a field with name = "a" and value = "abc" in all the events that are
indexed in index named "main".
- on_poll_command: None
- on_poll_query: index="main" | eval a = "abc"
- Final query generated internally: search index="main" | eval a = "abc"
- This query will fetch only the sourcetype of all the events that are indexed in index named
"main".
- on_poll_command: None
- on_poll_query: index="main" | fields sourcetype
- Final query generated internally: search index="main" | fields sourcetype
- This query will fetch all the events having tag = error and index = main.
- on_poll_command: None
- on_poll_query: index="_internal" tag=error
- Final query generated internally: search index="_internal" tag="error"
- This query will show the data of "ppf_action_history_searches" lookup.
- on_poll_command: None
- on_poll_query: |inputlookup ppf_action_history_searches
- Final query generated internally: |inputlookup ppf_action_history_searches
- The query will fetch top 10 events from the result of index = "main" search.
By default, the "source" field is used to name the ingested containers. To customize the container names, use the two settings in the asset configuration. For example, if a hostname is expected in the container name, the "Name to give containers created via ingestion" parameter can be set to "Notable Splunk Event" and "Values to append to container name" parameter can be set to "host". This will set the container name to "Notable Splunk Event, host=my.sample.host". The appended values can be a comma-separated list.
The user must use appropriate special characters in the query according to individual use-case otherwise the query will end up providing unexpected results. Following is a list of several such special characters:
- Non-breaking space
- Soft hyphen
- Micro symbol
- Division symbol
- Non-breaking hyphen
- En dash
- Em dash
- Ellipsis
There can exist more such characters apart from the ones listed above.
The app uses HTTP/ HTTPS protocol for communicating with the Splunk server. Below are the default ports used by Splunk SOAR.
| SERVICE NAME | TRANSPORT PROTOCOL | PORT |
|---|---|---|
| http | tcp | 80 |
| https | tcp | 443 |
8089 is the default port used by Splunk Server.
This table lists the configuration variables required to operate Splunk. These variables are specified when configuring a Splunk Enterprise asset in Splunk SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| device | required | string | Device IP/Hostname |
| port | optional | numeric | Port |
| username | optional | string | Username |
| password | optional | password | Password |
| api_token | optional | password | API token |
| splunk_owner | optional | string | The owner context of the namespace |
| splunk_app | optional | string | The app context of the namespace |
| timezone | optional | string | Splunk Server Timezone |
| verify_server_cert | optional | boolean | Verify Server Certificate |
| on_poll_command | optional | string | Command for query to use with On Poll |
| on_poll_query | optional | string | Query to use with On Poll |
| on_poll_display | optional | string | Fields to save with On Poll |
| on_poll_parse_only | optional | boolean | Parse Only |
| max_container | optional | numeric | Max events to ingest for Scheduled Polling (Default: 100) |
| container_update_state | optional | numeric | Container count to update the state file |
| container_name_prefix | optional | string | Name to give containers created via ingestion |
| container_name_values | optional | string | Values to append to container name |
| retry_count | optional | numeric | Number of retries |
| remove_empty_cef | optional | boolean | Remove CEF fields having empty values from the artifact |
| sleeptime_in_requests | optional | numeric | The time to wait for next REST call (max 120 seconds) |
| include_cim_fields | optional | boolean | Option to keep original Splunk CIM together with SOAR CEF fields |
| splunk_job_timeout | optional | numeric | The duration in seconds to wait before a scheduled Splunk job times out |
| use_event_id_sdi | optional | boolean | Option to use the event_id field value as the source data identifier instead of the full event hash |
test connectivity - test connectivity
get host events - Get events pertaining to a host that have occurred in the last 'N' days
make request - make request
on poll - on poll
post data - Post data to Splunk
run query - Run a search query on the Splunk device. Please escape any quotes that are part of the query string
update event - Update a notable event
test connectivity
Type: test
Read only: True
Basic test for app.
No parameters are required for this action
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failure | |
| action_result.message | string | ||
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Get events pertaining to a host that have occurred in the last 'N' days
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ip_hostname | required | Hostname/IP to search the events of | string | ip host name |
| last_n_days | optional | Number of days ago | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failure | |
| action_result.message | string | ||
| action_result.parameter.ip_hostname | string | ip host name |
|
| action_result.parameter.last_n_days | string | ||
| action_result.data.*.host | string | ||
| action_result.data.*._time | string | ||
| action_result.data.*._raw | string | ||
| action_result.summary.sid | string | ||
| action_result.summary.total_events | numeric | ||
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
make request
Type: generic
Read only: False
'make request' action for the app. Used to handle arbitrary HTTP requests with the app's asset
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| http_method | required | The HTTP method to use for the request. | string | |
| endpoint | required | Splunk REST API endpoint to call, appended to https://:/. Example: 'services/search/jobs' | string | |
| headers | optional | The headers to send with the request (JSON object). An example is {'Content-Type': 'application/json'} | string | |
| query_parameters | optional | Parameters to append to the URL (JSON object or query string). An example is ?key=value&key2=value2 | string | |
| body | optional | The body to send with the request (JSON object). An example is {'key': 'value', 'key2': 'value2'} | string | |
| timeout | optional | The timeout for the request in seconds. | numeric | |
| verify_ssl | optional | Whether to verify the SSL certificate. Defaults to the asset's 'Verify Server Certificate' setting. | boolean |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failure | |
| action_result.message | string | ||
| action_result.parameter.http_method | string | ||
| action_result.parameter.endpoint | string | ||
| action_result.parameter.headers | string | ||
| action_result.parameter.query_parameters | string | ||
| action_result.parameter.body | string | ||
| action_result.parameter.timeout | numeric | ||
| action_result.parameter.verify_ssl | boolean | ||
| action_result.data.*.status_code | numeric | 200 | |
| action_result.data.*.response_body | string | {} | |
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
on poll
Type: ingest
Read only: True
Callback action for the on_poll ingest functionality
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| start_time | optional | Start of time range, in epoch time (milliseconds). | numeric | |
| end_time | optional | End of time range, in epoch time (milliseconds). | numeric | |
| container_count | optional | Maximum number of container records to query for. | numeric | |
| artifact_count | optional | Maximum number of artifact records to query for. | numeric | |
| container_id | optional | Comma-separated list of container IDs to limit the ingestion to. | string |
No Output
Post data to Splunk
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| data | required | Data to post | string | |
| host | optional | Host for event | string | ip host name |
| index | optional | Index to send event to | string | |
| source | optional | Source for event | string | |
| source_type | optional | Type of source for event | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failure | |
| action_result.message | string | ||
| action_result.parameter.data | string | ||
| action_result.parameter.host | string | ip host name |
|
| action_result.parameter.index | string | ||
| action_result.parameter.source | string | ||
| action_result.parameter.source_type | string | ||
| action_result.data.*.status | string | ||
| action_result.data.*.message | string | ||
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Run a search query on the Splunk device. Please escape any quotes that are part of the query string
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| command | optional | Beginning command (in Splunk Processing Language) | string | |
| query | required | Query to run (in Splunk Processing Language) | string | splunk query |
| display | optional | Display fields (comma-separated) | string | |
| parse_only | optional | Parse only | boolean | |
| add_raw_field | optional | Ingest _raw field data | boolean | |
| attach_result | optional | Attach result to the vault | boolean | |
| start_time | optional | Earliest time modifier | string | |
| end_time | optional | Latest time modifier | string | |
| search_mode | optional | Search mode | string | |
| time_format | optional | Custom timestamp format | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failure | |
| action_result.message | string | ||
| action_result.parameter.command | string | ||
| action_result.parameter.query | string | splunk query |
|
| action_result.parameter.display | string | ||
| action_result.parameter.parse_only | boolean | ||
| action_result.parameter.add_raw_field | boolean | ||
| action_result.parameter.attach_result | boolean | ||
| action_result.parameter.start_time | string | ||
| action_result.parameter.end_time | string | ||
| action_result.parameter.search_mode | string | ||
| action_result.parameter.time_format | string | ||
| action_result.summary.sid | string | ||
| action_result.summary.total_events | numeric | ||
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Update a notable event
Type: generic
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| event_ids | required | Event ID to update | string | splunk notable event id |
| owner | optional | New owner for the event | string | |
| status | optional | New status for the event | string | |
| integer_status | optional | Integer representing custom status value | string | |
| urgency | optional | New urgency for the event | string | |
| comment | optional | New comment for the event | string | |
| disposition | optional | New disposition field | string | |
| integer_disposition | optional | Integer representing custom disposition value | string | |
| wait_for_confirmation | optional | Validate event_ids | boolean |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.status | string | success failure | |
| action_result.message | string | ||
| action_result.parameter.event_ids | string | splunk notable event id |
|
| action_result.parameter.owner | string | ||
| action_result.parameter.status | string | ||
| action_result.parameter.integer_status | string | ||
| action_result.parameter.urgency | string | ||
| action_result.parameter.comment | string | ||
| action_result.parameter.disposition | string | ||
| action_result.parameter.integer_disposition | string | ||
| action_result.parameter.wait_for_confirmation | boolean | ||
| action_result.data.*.status | string | ||
| action_result.data.*.failure_count | numeric | ||
| action_result.data.*.message | string | ||
| action_result.data.*.success | boolean | True False | |
| action_result.data.*.success_count | numeric | ||
| action_result.summary.sid | string | ||
| action_result.summary.updated_event_id | string | ||
| summary.total_objects | numeric | 1 | |
| summary.total_objects_successful | numeric | 1 |
Auto-generated Splunk SOAR Connector documentation.
Copyright 2026 Splunk Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.