Re: splunk soar run query action in splunk APP

saraomd93 · ‎08-30-2025

♌💓💓

Hello friends,
In order to run a query starting with a pipeline (|) in the run query action of the Splunk App on SOAR version 6.4, you need to prepend an index and hostname that do not actually exist.

Example:

index=not hostname=not append [ | inputlookup ... | eval command=... ]

This way, the query will execute correctly even though the main logic begins with a pipeline.

.

MattHyperion3 · ‎11-09-2025

A better way to approach this is to use inputlookup as your command rather than search

For example to run | inputlookup my_list.csv | search blah...
Configure your action block like this

command: inputlookup
query: my_list.csv | search blah...

this runs the query as expected in Splunk as | inputlookup my_list.csv

Many commands are valid to use which are not listed in the app just as make results and collect etc which are super handy to run in SOAR playbooks!

splunk soar run query action in splunk APP

using SOAR ⁄ Phantom

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation