icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

Thank You

Downloading Splunk App for SOAR Export
SHA256 checksum (splunk-app-for-soar-export_41117.tgz) 0034ce6e4ed76100db365d36132b5ded9184c4f1c14648dea25d2a134125870e SHA256 checksum (splunk-app-for-soar-export_4173.tgz) c57d28318d4970a2aacb8862dc8d8fc7cf179a6c78e0abee4cb10f342929a8ee SHA256 checksum (splunk-app-for-soar-export_413.tgz) c3f066ee51723ad6284b54d9306cd32a1b3ff46f4817e511d6105c34bb2bbb47 SHA256 checksum (splunk-app-for-soar-export_305.tgz) a10954f4047f281ba8c682714ee70f248e0c1fb936028cf2b5db5e8b45c4a9f2 SHA256 checksum (splunk-app-for-soar-export_252.tgz) 76aaa105685623c1120444b592f1df4e21762eaa80a66821057c94c80745dd24 SHA256 checksum (splunk-app-for-soar-export_2418.tgz) 63166de311e5c1d2886827e095c43e44563c5f3f779eaa0d061aaa0132709662 SHA256 checksum (splunk-app-for-soar-export_2417.tgz) 859a0761350e6426e4d7f286e7d52f431c67f243a06cd40254e0eb0f09f5672f SHA256 checksum (splunk-app-for-soar-export_2416.tgz) 581c9bbb618e41789f4c7b00e3ca27a8681c240662b88fc0977e5de4b7e4ccfc SHA256 checksum (splunk-app-for-soar-export_2415.tgz) edc45346fa387af87a93cee882975dcd27a9c6566bde074e98756904ebab014d SHA256 checksum (splunk-app-for-soar-export_2312.tgz) 75bfde5a001def37d711b747b92d138110cd3f41c1450ca4d785d4444a826c48 SHA256 checksum (splunk-app-for-soar-export_2217.tgz) fceef2eb5a8864dc7bdd65ef810719bb4328b6c1b9f7b0075b9a2e4b3205abc4
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Splunk App for SOAR Export

Splunk Cloud
Splunk Built
This is the official Splunk app that integrates Splunk Enterprise or Splunk Cloud with Splunk SOAR. This app, formerly known as the “Phantom App for Splunk,” is responsible for sending data from your Splunk Enterprise/Cloud instances to Splunk SOAR. Once that data is in Splunk SOAR, you can perform automated actions with over 350+ different security tools.

Also included with this app is an integration with Splunk Enterprise Security, allowing you to send ES data to SOAR.

Splunk SOAR is a Security Automation and Orchestrated Response (SOAR) platform that integrates with your existing security tools in order to provide a layer of “connective tissue” between them. Splunk SOAR streamlines security operations through the execution of digital “Playbooks” to achieve in seconds what may normally take minutes or hours to accomplish with the dozens of products that you use every day.

Splunk SOAR doesn’t replace existing security products, but instead makes your investment in them smarter, faster and stronger.

(Formerly known as Phantom App for Splunk)

To learn more about installation, configuration, and using the Splunk App for SOAR Export read the documentation:

Additional technical documentation also available on Splunk Docs:

If you do not yet have a phantom community account, signup at:

Release Notes

Version 4.1.117
March 14, 2022

Version 4.1.117 Release Notes
- Name of the app has been changed to Splunk App for SOAR Export
- Bug fix: The app UI was not loading if the root_endpoint of Splunk was changed
- Bug fix: Upgrading from beta version 0.0.19 to release version 4.1.73 gave an error message related to earliest_time and latest_time parameters
- Bug fix: Event forwarding configurations were not being updated to either enabled or disabled
- The app now removes items from the KV Store if the item has an invalid label in Splunk SOAR
- Bug fix: Misleading error message was given when syncing workbooks
- Bug fix: Some artifacts were not sent to the correct containers during event retries
- Updated the event parsing regular expression in event forwarding to properly accommodate multiline values
- Set the default python.version to python3
- Optimized the searches performed in event forwarding for better performance

Version 4.1.73
Sept. 11, 2021

Version 4.1.73 Release Notes
- Event forwarding configurations have been converted to save as search alerts instead of reports
- Performance improvement for container and artifact creation in Splunk Phantom and Splunk SOAR
- Custom advanced time parameters “Earliest Time” and “Latest Time” added to saved search event forwarding configuration
- Performance improvements for workbooks tab
- Added bulk workbook management
- Added app.manifest to app folder
- Alert actions and adaptive response actions now use cim_modactions index instead of phantom_modalert index
- Upgraded urllib3 to version 1.26.6 and requests library to 2.25.1

Version 4.1.3
May 27, 2021

Version 4.1.3 Release notes
- This release of the Splunk Phantom App for Splunk connects both Splunk Phantom and Splunk SOAR to your Splunk platform
- Bug fix where Event Forwarding Save and Preview hangs with 0 results
- Splunk Enterprise Security is no longer needed unless performing adaptive response actions or AR Relay
- Splunk events not created in Splunk SOAR and Splunk Phantom are stored in KV Store and attempt to re-send every 60 seconds until successful
- Synchronize workbooks across multiple Splunk SOAR and Splunk Phantom instances
- Alert Action Configurations tab moved to Configurations tab and no longer uses jQuery
- Limit read access to users with phantom role

Version 3.0.5
Dec. 20, 2019

Version 3.0.5 Release notes:
- Bug fix auto mapping cannot be turned off
- Bug fix adaptive response action creating duplicate artifacts
- Global mapping page to save custom mappings, which can be automatically applied to forwarding configurations
- Updated UI for Event Forwarding page

Version 2.5.2
June 13, 2018

This app imports Splunk_SA_CIM and SA_Utils libraries, version 4.8.0.

Third party libraries included in this app:
- jQuery-datatables https://datatables.net/
- Select2 https://select2.org/

Version 2.5.2 Release notes
- Support for Splunk 7.1
- Updated copyright information
- Performance improvement on Export configuration with a large number of field mappings
- Bug fix on search field resetting when saved search or data model export is changed
- Bug fix on Export configuration losing updates when the mouse is clicked on outside the configuration window
- Bug fix on selection of invalid value for Scheduled time units
- Bug fix on destinationTranslatedAddress and bytesIn field mappings
- Bug fix on container label when upgrading from 2.2.x version

Version 2.4.18
May 23, 2018

All user documentation can be found in the Phantom platform in Documentation, Administration Manual, Data Sources, Splunk.
You may also visit https://my.phantom.us/docs/admin/splunk with your Phantom account.
Contact support@phantom.us for any support or installation issues. The only system requirement is a functional installation of the Phantom platform.

This app imports Splunk_SA_CIM and SA_Utils libraries, version 4.8.0.

Third party libraries included in this app:
- jQuery-datatables https://datatables.net/
- Select2 https://select2.org/

Installation Notes

Version 2.4.18 Release notes
- Bug fix on time string error when sending Data Model export on Windows server
- Bug fix on export name containing white space on Windows server

Version 2.4.17
May 21, 2018

Version 2.4.17 Release notes
- Bug fix on time string error when sending Data Model export on Windows server
- Bug fix on export name containing white space on Windows server

Version 2.4.16
May 16, 2018

Important notes for the previous versions are included in the README.txt in the package.

Version 2.4.16 Release notes
- Bug fix on time string error when sending Data Model export on Windows server
- Bug fix on export name containing white space on Windows server

Version 2.4.15
May 16, 2018
Version 2.3.12
Dec. 11, 2017

Important notes for this version are included in the README.txt in the package.

Highlights of this release:
Remove SSL Verification checkbox, add the ability to enable/disable SSL Verification via REST (see README.txt in the package). Note this is prohibited on Splunk Cloud.
Make dropdown fields in the configuration easier to use by sorting and filtering.
Add "save" next to "save and preview"
Include URL to Splunk Results - "_originating_search" now appears in the artifact CEF for adaptive response actions.
Add clone button for event forwarding configuration
Added free-form entry of destination labels
Added the ability to execute a playbook from Alert Actions
Resolve a javascript security issue noted by Splunk security review.
* Resolve error messages in logs, improved error handling

Version 2.2.17
Sept. 20, 2017
  • Update for Splunk Cloud certification
  • Force SSL Verify always enabled, Customer can not choose to disable SSL Verification
  • No other functional changes since 2.2.9

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.