icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Demisto Add-on for Splunk
SHA256 checksum (demisto-add-on-for-splunk_400.tgz) d0fb52aec38ddaaa893892637c435cf6504b4cdaedd04db6a3306b3953b469a3 SHA256 checksum (demisto-add-on-for-splunk_308.tgz) e4d7009809de0c75638664fde1fa2b9915bea49bf8b20a622017a1968f4e8c07 SHA256 checksum (demisto-add-on-for-splunk_307.tgz) a08144accb8627efbcefea8b85903246c33a1c2e8e5867a41abd5f57dbd1bf81 SHA256 checksum (demisto-add-on-for-splunk_306.tgz) 89d9042268470ad4b16ef9af388f030d4c2ac3ea0495ae19f4db2e7cef9bb5f6 SHA256 checksum (demisto-add-on-for-splunk_305.tgz) f00e5a8323b109eb09b9a16cce322a44ee985c6f19875a951c41499deddd5bdf SHA256 checksum (demisto-add-on-for-splunk_304.tgz) a43a844ca1bbb8f188dddd9a8d61be523e9a24d643bfb62d243b774a1aca75d3 SHA256 checksum (demisto-add-on-for-splunk_303.tgz) db84282f6283706a872b3683671fc040a397aaf585eb133ba57810170cf8b090 SHA256 checksum (demisto-add-on-for-splunk_302.tgz) 3e1bfe3a200ea88c75f0c62d0d3453b6bc31f56ab9b4b13b59db5d15d60f7633 SHA256 checksum (demisto-add-on-for-splunk_301.tgz) 0943554d40df45bcacad6f710549643adb92aeb19283d63b7deae5aeee4d1b56 SHA256 checksum (demisto-add-on-for-splunk_300.tgz) f20561b98ffa219f19b99cef8c43da6efddb46191728ae93780e25db4558b68b SHA256 checksum (demisto-add-on-for-splunk_208.tgz) d31be8d1fbbfadc9f4b9e65c08c89b9aec4cd02b9953bd58a371d04b5d71180a SHA256 checksum (demisto-add-on-for-splunk_203.tgz) 98e6f5205ad28a6dbbae333757752a34afe00c1ec82dbefefa69479002d52a68 SHA256 checksum (demisto-add-on-for-splunk_200.tgz) 96a05d2e86986fc767b2878fe5ec15aa7a24b8140a40c33a5d03219c8df95d79 SHA256 checksum (demisto-add-on-for-splunk_107.tgz) 5884ffe765d7c432ba10414a9d7c2b6d089e70c4fd99436fc4826aac72ddbc8d
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Demisto Add-on for Splunk

Splunk Cloud
The Demisto Add-on for Splunk is used to provide user an option to associate Alert actions to push information from Splunk to Cortex XSOAR.


Supporting Add-on for Cortex XSOAR. This application allows a user to create incident into XSOAR from Splunk using custom alert action.
Full documentation for the add-on is available on our site (https://xsoar.pan.dev/docs/reference/articles/splunk-add-on).


  • Splunk version 6.3 >=
  • This application should be installed on Search Head.

Recommended System configuration

  • Standard Splunk configuration of Search Head.

Installation in Splunk Cloud

  • Same as on-premise setup.

Installation of App

  • This app can be installed through UI using "Manage Apps" or from the command line using the following command:
    $SPLUNK_HOME/bin/splunk install app $PATH_TO_SPL/TA-Demisto.spl/

  • User can directly extract SPL file into $SPLUNK_HOME/etc/apps/ folder.

Application Setup

  • The user must complete the setup of the application. In order to create incident into XSOAR, a user needs to enter "Launch app" action after installing the add-on and provide the following:
    1) Create a XSOAR instance:
    Under XSOAR Instances tab, press the "Add" button. Choose an instance name, and fill the XSOAR server URL (including port if needed) and the API key fields. The API key is used for authorization with XSOAR. In order to generate this parameter, a user should log in to Demisto and then click on Settings --> Integration --> API Keys.
    2) Set up proxy settings (optional):
    Under Proxy tab, check the "Enable" checkbox and fill all the proxy parameters needed.
    3) Choose log level (optional):
    By default, the logging level is "INFO". You may change the logging level to "DEBUG" in case needed.
    4) Additional Settings (optional):
    • If you have an SSL certificate, please provide its full path under "Location to Certificate" field.
    • By default, "Validate SSL" is enabled.
  • You must restart Splunk in order to apply changes in the configuration settings.

Custom Alert Action

  • This application will add custom alert action named XSOAR Custom Alert Action. The user can configure this action on saved search. The user can pass following parameters to XSOAR:
    1) Name: Name of the alert.
    2) Occurred Time: Time when alert was triggered
    3) Type: Type in XSOAR.
    4) Labels: Comma separated values to be put in the label field.
    5) Severity: Severity of the alert
    6) Details: Details field in the incident.


  • Environment variable SPLUNK_HOME must be set.
  • To troubleshoot Demisto add-on, check $SPLUNK_HOME/var/log/splunk/create_xsoar_incident_modalert.log file.

Release Notes

Version 4.0.0
June 20, 2022

This version was created using Splunk add-on builder version 4.1.0, therefore it does not longer supports python2, as well as Splunk versions lower than 8.0

Changes made from v3.0.8:
- Additional parameter (timeout) was added, it controls the timeout of the incident creation request.
- More logging in case of error added.

Version 3.0.8
Sept. 23, 2021

Fixed an issue where incidents could not be created successfully with SSL certificates.

Version 3.0.7
Sept. 9, 2021

Fixed an issue where ad-hoc incidents from Splunk ES were not created successfully.

Version 3.0.6
July 14, 2021

Fixed an issue where incidents were not created successfully from notable events.

Version 3.0.5
June 21, 2021
  • Fixed an issue where manual Adaptive Response Actions could not be created in Splunk ES.
  • Fixed a python 2-3 compatibility issue.
  • Added some debug logs and informative error messages.
Version 3.0.4
March 18, 2021

Added an option to input custom fields with values that contain commas/colons. The values in this case should be wrapped with apostrophes, quotation marks, backticks, parenthesis or curly brackets.

Version 3.0.3
Feb. 24, 2021
  • Updated add-on icons.
  • Improved debug logs in create_xsoar_incident script.
  • Added "name" field and additional search metadata fields to rawJSON to be used in classification & mapping.
Version 3.0.2
Jan. 13, 2021

Support multiple certificates for multiple servers

Version 3.0.1
Dec. 1, 2020

Stability enhancement for supporting splunk cloud compatibility.

Version 3.0.0
Sept. 22, 2020

New version of Demisto add-on for Splunk, compatible with python 2 and 3.
The upgrade requires reconfiguration of the add-on.

Version 2.0.8
March 3, 2020

Regex improvements

Version 2.0.3
Oct. 28, 2018
  • Ability to send an alert to multiple Demisto servers. Please note that if you upgrade to this version you will need to re-define your alarms and select for each a specific Demisto server or to send the alert to all of the Demisto servers.
Version 2.0.0
Aug. 13, 2018
  • Supporting HTTPS proxy
  • Better error messages
  • Ability to send alerts with special characters in their path, such as “my / alert”
Version 1.0.7
Nov. 20, 2017

-- App Certification Failure Fixed - Batch Stanza
-- Timezone changes while creating Incident

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.