Hi @venkatasri 

Do you have query for to check health alerts using Splunk App for SOAR.
Kindly help me on this

Regards,

Harisha

@harishlnu if you have one of the more recent versions of SOAR then it now has a forwarder on it with the ability to send a lot of different logs to Splunk via the UF embedded in the platform. There is a huge amount of data in these logs that could be teased out into SPL Alerts. 

Are you able to advise what kind of things you are looking to monitor?

OS Health can be done using the *nix Splunk Add-on, playbook/action failure is in the logs as well as access data via the wsgi.log file. Daemon logs, such as decided/ingestd/etc can also provide data about functionality and these are also able to be sent to Splunk via the Forwarder Settings in Administration in SOAR. 

-- Hope this helps! Happy SOARing --

@phanTom 

My requirement is to get notification of ingestion.
Example: If one notable is created in Splunk ES , but if that notable is not created in splunk phantom.
Then it should notify us

Please help me with your suggestion on this

Regards
Harisha

@harishlnu 

If a Correlation Search is configured to send to SOAR then you just need the _internal logs for the modaction send_to_phantom to be checked for failures in sending then also use the ingestd.log to look for failures to ingest on the SOAR side. The ingestd.log should be one of the DAEMON logs you can forward from SOAR to Splunk. 

@phanTom 

could you please help me with documentation for reference

@harishlnu 

For the forwarding part: https://docs.splunk.com/Documentation/SOARonprem/6.2.1/Admin/Forwarders 

The other element is just using SPL to look for things in the logs sent from SOAR to Splunk. The Splunk app for SOAR will have docs on what sourcetypes it sends through that would include ingestd.log. 

You should have enough information now to do some research and start to develop what you need. 

-- Happy SOARing --