Re: Splunk search dispatchstate check from SOAR?

nongingerale · ‎03-19-2026

What would be the best way, if any, for SOAR to check if a Splunk search is complete/finalized instead of actively running? I see a dispatchState var (https://help.splunk.com/en/splunk-enterprise/leverage-rest-apis/rest-api-tutorials/9.4/rest-api-tuto...) but would like some guidance on how to check this from a soar playbook.

Thanks!

kknairr · ‎03-23-2026

@nongingerale Quick clarification, are your searches being launched directly from SOAR playbooks? or are you trying to monitor searches that were initiated independently in Splunk?

That distinction will determine how to approach this. Since you mentioned REST API polling method, this is applicable if you want SOAR to monitor searches that were started outside of SOAR, you can use an HTTP connector action in your playbook to call the Splunk REST API, and configure the loop setting on that block to keep checking the job status until it reaches the state you care about.

For this use case, you can query the job status endpoint using below format:

https://<host>:<mPort>/services/search/jobs

Playbook design flow:

In a Splunk SOAR playbook, the flow to check whether a Splunk search has completed can be designed around the search job ID (sid). The playbook begins by capturing the sid of the search you want to monitor, then uses an HTTP action block to call Splunk’s REST API endpoint /services/search/jobs/{sid}.

The response includes fields such as dispatchState and isDone, which indicate whether the search is still queued, running, or finalized. By enabling the loop setting on the HTTP action block, the playbook can keep polling this endpoint until the job reaches the desired state (for example in your case, dispatchState=DONE). Once the search is complete, the playbook continues to the next task, such as fetching results or triggering downstream task. Hope it helps.

Reference: Search endpoint descriptions | Splunk Enterprise, Splunk Cloud Platform (last updated 2026-01-10T00:...

>>

If this post addressed your question, you can:

Give it karma to show appreciation 👍
Mark it as the solution if it solved your issue ✔️
Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

nongingerale · ‎04-02-2026

The searches I want to check the state for, are originally started in Splunk not SOAR, I'll check out the services/search/jobs with the splunk HTTP connector, thanks!

phanTom · ‎03-19-2026

@nongingerale

Where are the searches you are checking being initiated from? And what do you need to do with the result of the check?

You can run searches using the Splunk app on SOAR and this will handle all of the checking of status, etc for searches initiated from SOAR.

If you just want to check the status of any search running in Splunk and then <do something> when its status changes to one you want to act upon, you could use a HTTP action with the loop setting on the action block configured within your requirements to keep checking the status of a search job.

-- Hope this helped? If so please add Karma and/or Mark as a Solution for others to see. Happy SOARing! --

nongingerale · ‎04-02-2026

it would be for searches originating from Splunk, not SOAR, since I need to make sure its complete before I continue with an action in SOAR. I'll research/check out the HTTP option, thanks!

Splunk search dispatchstate check from SOAR?

using SOAR ⁄ Phantom

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation