Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple artifacts being added to one container

N_K
Engager
‎04-09-2025 12:52 AM

Using the Splunk App for SOAR I am creating events in SOAR using a dashboard in Splunk. I'm facing an issue where the same form submission in the dashboard is resulting in multiple artifacts being created in the one event rather than a new event being created for all submissions.

Events in Splunk are held for 30 days, this can results in a time sensitive request being requested and run 30 days ago for example, but if it's requested again n those 30 days it won't generate a new event and run the playbook.

I could probably add a unique ID to the form submissions which would result in a new container being made (as the artifact values wouldn't be identical) but I was wondering if there's an option in the app or in SOAR to always generate a new container? 

 

Thanks

Labels (1)
Labels
0 Karma
Reply

marnall
Motivator
‎04-09-2025 11:24 AM

Could you elaborate on the dashboard you are using? Is it a custom dashboard that sends HTTP requests to SOAR to create new containers and artifacts, or are you using the Event Forwarding settings of the Splunk App for SOAR Export?

 

If you are using the Event Forwarding settings, then check which field has the checkbox to group, as this will cause results with the same grouping field to be added to the same container in SOAR.

0 Karma
Reply

N_K
Engager
‎04-10-2025 12:33 AM

No fields have the group option checked!

I've started adding a UID to all requests which has fixed the issue, would like to know if there is a setting somewhere else though 

0 Karma
Reply

marnall
Motivator
‎04-13-2025 12:58 PM

When you don't include the UID, are there any differences in the field values? What pattern do you see in how it adds artifacts to containers? E.g. are there specific fields which determine the container that the artifact gets added to, or does it add artifacts to the most recently created container?

Depending on how you would like it to behave, you could throttle the creation of new artifacts by using a outputlookup and NOT [|inputlookup] commands in your saved search used to forward events to SOAR, then use a time field to make sure the artifacts+containers are different.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...