Splunk

Details
Content
Dependencies
Version History

Fetch events as incidents and search Splunk

This content pack runs queries on Splunk servers and fetches events from both Splunk Enterprise Security (ES) and non-ES environments.

What does this pack do?

This pack includes two integrations designed for different Splunk ES versions:

SplunkPy

The primary integration for Splunk ES versions up to 8.1, which automatically fetches notable events from Splunk along with their context data. The integration provides the analyst with comprehensive incident information directly in the XSOAR/XSIAM console.

SplunkPy v2

Designed for Splunk ES version 8.2 and higher, supporting the new Splunk Enterprise Security architecture (Findings and Investigations).

Using the commands in these integrations, you can leverage the Splunk API capabilities, such as:

Running SPL (Splunk Search Processing Language) queries
Managing events
Working with KV store collections (create, search, update, delete)
Enriching events with Asset, Identity, and Drilldown data
Managing indexes and submitting events
Bi-directional mirroring between Splunk and Cortex XSOAR

Note:
When mirroring or fetching incidents between Splunk and Cortex XSOAR, you need to map Splunk users to Cortex XSOAR users.

This content pack runs queries on Splunk servers and fetches events from both Splunk Enterprise Security (ES) and non-ES environments.

What does this pack do?

This pack includes two integrations designed for different Splunk ES versions:

SplunkPy

SplunkPy v2

Designed for Splunk ES version 8.2 and higher, supporting the new Splunk Enterprise Security architecture (Findings and Investigations).

Using the commands in these integrations, you can leverage the Splunk API capabilities, such as:

Running SPL (Splunk Search Processing Language) queries
Managing events
Working with KV store collections (create, search, update, delete)
Enriching events with Asset, Identity, and Drilldown data
Managing indexes and submitting events
Bi-directional mirroring between Splunk and Cortex

Note:
When mirroring or fetching incidents between Splunk and Cortex, you need to map Splunk users to Cortex XSOAR users.

Automations

Name	Description
SplunkConvertNotesToTable	This script is used to convert Splunk notes to a table.
SplunkShowIdentity	Automation to display identity objects from Splunk.
SplunkConvertConsolidatedFindingsToMD	Renders the Splunk Investigation `consolidated_findings` JSON payload as a Markdown summary (key/value table for scalar fields plus a transposed table for parallel array columns such as `search_name`, `_time`, `dest`, `risk_score`, `severity`, and `src`). Designed for use as a dynamic-section in the Splunk Investigation layout.
SplunkAddNote	Use this script to add a note with a tag (the "Note tag to Splunk" defined in the instance configuration) as an entry in Cortex XSOAR, which will then be mirrored as a note to a Splunk finding. This script should be run within an incident.
SplunkShowDrilldown	Automation to display drilldown search results from Splunk.
SplunkPySearch	Deprecated. No available replacement. Run a query through Splunk and format the results as a table.
SplunkAddComment	Use this script to add a comment with a tag (the "Comment tag to Splunk" defined in the instance configuration) as an entry in Cortex XSOAR, which will then be mirrored as a comment to a Splunk issue. This script should be run within an incident.
SplunkConvertCommentsToTable	This script is used to convert Splunk comments to a table.
SplunkShowAsset	Automation to display asset objects from Splunk.

Classifiers

Name	Description
Splunk - Classifier	Classifies Splunk events.
SplunkPyV2 - Classifier	Classifies SplunkPy v2 events (Splunk Finding and Splunk Investigation).
Splunk Finding - Incoming Mapper	Maps Splunk Finding incoming fields.
Splunk - Notable Generic Incoming Mapper	Maps Splunk ES incoming fields.
Splunk - Incoming Mapper	Maps Splunk logs fields.
Splunk - Notable Generic Outgoing Mapper	Maps Splunk ES outgoing fields.
Splunk ES - Incoming Mapper	Maps Splunk Enterprise Security (ES) Finding and Investigation incoming fields.
Splunk Finding - Outgoing Mapper	Maps Splunk Finding outgoing fields for mirror-out functionality.
Splunk ES - Outgoing Mapper	Maps Splunk Enterprise Security (ES) Finding and Investigation outgoing fields for mirror-out functionality.

Incident Fields

Name	Description
Notable Owner	The owner of the notable.
Successful Drilldown Enrichment	Indicates whether the drilldown enrichment was successful.
Splunk Notable Reviewer	The reviewer of the notable.
Splunk Investigation ID	The investigation ID from Splunk Mission Control (e.g. ES-00015).
Splunk Drilldown	The drilldown searches from Splunk.
Splunk Status	The status from Splunk.
Splunk Investigation GUID	The investigation GUID from Splunk Mission Control.
Splunk Intermediate Finding IDs	Intermediate finding IDs associated with the Splunk investigation.
Splunk Security Domain	The security domain from Splunk.
Splunk Sensitivity	The sensitivity from Splunk.
Splunk Incident Origin	The incident origin from Splunk Mission Control (e.g. MC Incident).
Splunk Implicit Finding IDs	Finding IDs implicitly associated with the Splunk investigation.
Splunk Notes	the Splunk Notes
Successful Identity Enrichment	Indicates whether the identity enrichment was successful.
Splunk Investigation Type	The investigation type from Splunk Mission Control (e.g. default).
Successful Asset Enrichment	Indicates whether the asset enrichment was successful.
Splunk ES Event Type	The Splunk ES event type tag (Finding or Investigation) used by the classifier to route events to the correct incident type.
Splunk Dest Risk Object Type	The destination risk object type from Splunk.
Notable Drilldown	The result of the drilldown search.
Splunk Comments	the notable comments
Splunk Urgency	The urgency from Splunk.
Notable Status	The Splunk notable status. Can be one of the following New, In Progress, Pending, Resolved, Closed
Splunk Excluded Finding IDs	Finding IDs explicitly excluded from the Splunk investigation.
Notable Urgency	The urgency of the notable.
Splunk Risk Object	The risk objects associated with the Splunk investigation (array of risk object identifiers).
Notable - ID	The ID of the notable
Splunk Incident IDs	The incident IDs associated with the Splunk investigation findings.
Splunk Consolidated Findings	Consolidated findings JSON payload from the Splunk investigation. Stored as a JSON string and rendered as Markdown in a dedicated layout tab via the SplunkConvertConsolidatedFindingsToMD script.
Splunk Investigation Name	The investigation name from Splunk Mission Control.
Splunk Dest Risk Score	The destination risk score from Splunk.
Splunk Disposition	The disposition from Splunk.

Incident Types

Name	Description
Splunk Investigation
Splunk Notable Generic
Splunk Finding

Integrations

Name	Description
SplunkPy v2	Run queries on Splunk and fetch Splunk ES Findings and Investigations (Splunk ES 8.2+).
SplunkPy	Run queries on Splunk and fetch Notable Events (Splunk ES versions up to 8.2).

Layouts

Name	Description
Splunk Notable Generic
Splunk Investigation
Splunk Finding

Playbooks

Name	Description
Splunk Generic	This is a generic playbook to be executed for the Splunk Notable Generic incident type. The playbook performs all the common parts of the investigation, including notifying the SOC, enriching the data for indicators and users, calculating the severity, assigning the incident, notifying the SIEM admin for false positives and more.
Splunk Indicator Hunting	This playbook queries Splunk for indicators such as file hashes, IP addresses, domains, or urls. It outputs detected users, ip addresses, and hostnames related to the indicators.

Automations

Name	Description
SplunkConvertCommentsToTable	This script is used to convert Splunk comments to a table.
SplunkAddComment	Use this script to add a comment with a tag (the "Comment tag to Splunk" defined in the instance configuration) as an entry in Cortex, which will then be mirrored as a comment to a Splunk issue. This script should be run within an incident.
SplunkConvertNotesToTable	This script is used to convert Splunk notes to a table.
SplunkShowDrilldown	Automation to display drilldown search results from Splunk.
SplunkPySearch	Deprecated. No available replacement. Run a query through Splunk and format the results as a table.
SplunkShowIdentity	Automation to display identity objects from Splunk.
SplunkShowAsset	Automation to display asset objects from Splunk.
SplunkAddNote	Use this script to add a note with a tag (the "Note tag to Splunk" defined in the instance configuration) as an entry in Cortex, which will then be mirrored as a note to a Splunk finding. This script should be run within an incident.
SplunkConvertConsolidatedFindingsToMD	Renders the Splunk Investigation `consolidated_findings` JSON payload as a Markdown summary (key/value table for scalar fields plus a transposed table for parallel array columns such as `search_name`, `_time`, `dest`, `risk_score`, `severity`, and `src`). Designed for use as a dynamic-section in the Splunk Investigation layout.

Classifiers

Name	Description
Splunk - Classifier	Classifies Splunk events.
SplunkPyV2 - Classifier	Classifies SplunkPy v2 events (Splunk Finding and Splunk Investigation).
Splunk ES - Outgoing Mapper	Maps Splunk Enterprise Security (ES) Finding and Investigation outgoing fields for mirror-out functionality.
Splunk ES - Incoming Mapper	Maps Splunk Enterprise Security (ES) Finding and Investigation incoming fields.
Splunk - Notable Generic Outgoing Mapper	Maps Splunk ES outgoing fields.
Splunk Finding - Incoming Mapper	Maps Splunk Finding incoming fields.
Splunk Finding - Outgoing Mapper	Maps Splunk Finding outgoing fields for mirror-out functionality.
Splunk - Notable Generic Incoming Mapper	Maps Splunk ES incoming fields.
Splunk - Incoming Mapper	Maps Splunk logs fields.

Incident Fields

Name	Description
Splunk Implicit Finding IDs	Finding IDs implicitly associated with the Splunk investigation.
Notable Drilldown	The result of the drilldown search.
Splunk Investigation Name	The investigation name from Splunk Mission Control.
Successful Drilldown Enrichment	Indicates whether the drilldown enrichment was successful.
Notable Owner	The owner of the notable.
Splunk Consolidated Findings	Consolidated findings JSON payload from the Splunk investigation. Stored as a JSON string and rendered as Markdown in a dedicated layout tab via the SplunkConvertConsolidatedFindingsToMD script.
Splunk Urgency	The urgency from Splunk.
Splunk Notes	the Splunk Notes
Successful Identity Enrichment	Indicates whether the identity enrichment was successful.
Notable Status	The Splunk notable status. Can be one of the following New, In Progress, Pending, Resolved, Closed
Splunk Drilldown	The drilldown searches from Splunk.
Splunk Status	The status from Splunk.
Splunk Disposition	The disposition from Splunk.
Notable - ID	The ID of the notable
Splunk Investigation GUID	The investigation GUID from Splunk Mission Control.
Splunk Intermediate Finding IDs	Intermediate finding IDs associated with the Splunk investigation.
Splunk Investigation Type	The investigation type from Splunk Mission Control (e.g. default).
Splunk Excluded Finding IDs	Finding IDs explicitly excluded from the Splunk investigation.
Splunk Dest Risk Score	The destination risk score from Splunk.
Successful Asset Enrichment	Indicates whether the asset enrichment was successful.
Splunk Risk Object	The risk objects associated with the Splunk investigation (array of risk object identifiers).
Splunk Dest Risk Object Type	The destination risk object type from Splunk.
Splunk Notable Reviewer	The reviewer of the notable.
Splunk Investigation ID	The investigation ID from Splunk Mission Control (e.g. ES-00015).
Notable Urgency	The urgency of the notable.
Splunk ES Event Type	The Splunk ES event type tag (Finding or Investigation) used by the classifier to route events to the correct incident type.
Splunk Security Domain	The security domain from Splunk.
Splunk Sensitivity	The sensitivity from Splunk.
Splunk Incident IDs	The incident IDs associated with the Splunk investigation findings.
Splunk Incident Origin	The incident origin from Splunk Mission Control (e.g. MC Incident).
Splunk Comments	the notable comments

Incident Types

Name	Description
Splunk Notable Generic
Splunk Investigation
Splunk Finding

Integrations

Name	Description
SplunkPy	Run queries on Splunk and fetch Notable Events (Splunk ES versions up to 8.2).
SplunkPy v2	Run queries on Splunk and fetch Splunk ES Findings and Investigations (Splunk ES 8.2+).

Playbooks

Name	Description
Splunk Generic	This is a generic playbook to be executed for the Splunk Notable Generic alert type. The playbook performs all the common parts of the investigation, including notifying the SOC, enriching the data for indicators and users, calculating the severity, assigning the alert, notifying the SIEM admin for false positives and more.
Splunk Indicator Hunting	This playbook queries Splunk for indicators such as file hashes, IP addresses, domains, or urls. It outputs detected users, ip addresses, and hostnames related to the indicators.

Required Content Packs (9)

Pack Name	Pack By
Access Investigation	By: Cortex XSOAR
Asset	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Identity	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Phishing	By: Cortex XSOAR
PhishingAlerts	By: Cortex XSOAR

All level dependencies (12)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Asset	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Identity	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR

4.2.1 - 10281058 (June 18, 2026)

Scripts

SplunkAddNote

Updated the Docker image to: demisto/python3:3.12.13.10116658.

SplunkConvertNotesToTable

Updated the Docker image to: demisto/python3:3.12.13.10116658.

SplunkConvertConsolidatedFindingsToMD

Updated the Docker image to: demisto/python3:3.12.13.10116658.

SplunkShowDrilldown

Updated the Docker image to: demisto/python3:3.12.13.10116658.

SplunkAddComment

Updated the Docker image to: demisto/python3:3.12.13.10116658.

SplunkConvertCommentsToTable

Updated the Docker image to: demisto/python3:3.12.13.10116658.

Related pull requests:
- 44716

Download

4.2.0 - 9839730 (June 3, 2026)

Integrations

SplunkPy v2

Added the splunk-investigation-create command, which creates a new investigation in Splunk Enterprise Security.
Added the splunk-investigation-list command, which lists investigations from Splunk Enterprise Security with support for filtering by investigation ID, status, owner, urgency, sensitivity, disposition, and create/update time ranges.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.8936013.

Related pull requests:
- 44364

Download

4.1.0 - 9069814 (May 17, 2026)

Classifiers

SplunkPyV2 - Classifier

Added the SplunkPyV2 - Classifier that classifies SplunkPy v2 events into Splunk Finding and Splunk Investigation incident types.

Incident Fields

Splunk Status
Updated the Splunk Status incident field to align with the new Splunk Investigation incident type.
Splunk Urgency
Updated the Splunk Urgency incident field to align with the new Splunk Investigation incident type.
Splunk Sensitivity
Updated the Splunk Sensitivity incident field to align with the new Splunk Investigation incident type.
Splunk Disposition
Updated the Splunk Disposition incident field to align with the new Splunk Investigation incident type.
Splunk Notes
Updated the Splunk Notes incident field to align with the new Splunk Investigation incident type.
Splunk Implicit Finding IDs
New: Added a new incident field - Splunk Implicit Finding IDs.
Splunk Excluded Finding IDs
New: Added a new incident field - Splunk Excluded Finding IDs.
Splunk Intermediate Finding IDs
New: Added a new incident field - Splunk Intermediate Finding IDs.
Splunk Risk Object
New: Added a new incident field - Splunk Risk Object.
Splunk Incident Origin
New: Added a new incident field - Splunk Incident Origin.
Splunk Investigation GUID
New: Added a new incident field - Splunk Investigation GUID.
Splunk Investigation ID
New: Added a new incident field - Splunk Investigation ID.
Splunk Investigation Name
New: Added a new incident field - Splunk Investigation Name.
Splunk Investigation Type
New: Added a new incident field - Splunk Investigation Type.
Splunk Incident IDs
New: Added a new incident field - Splunk Incident IDs.
Splunk ES Event Type
New: Added a new incident field - Splunk ES Event Type.
Splunk Consolidated Findings
New: Added a new incident field - Splunk Consolidated Findings.

Incident Types

Splunk Investigation
New: Added a new incident type - Splunk Investigation for Splunk Mission Control investigations ingested by SplunkPy v2.

Integrations

SplunkPy v2

Added support for fetching Splunk Mission Control investigations.
Added the Maximum investigations per fetch parameter.
Added the Event types to fetch parameter.
Added the First fetch timestamp (Investigations) parameter.
Added the Investigations fetch query parameter.
Added the splunk-update-investigation command.

Layouts

Splunk Investigation
Added the Splunk Investigation layout.

Mappers

Splunk ES - Incoming Mapper

Added the Splunk ES - Incoming Mapper that maps incoming Splunk Finding and Splunk Investigation fields.

Splunk ES - Outgoing Mapper

Added the Splunk ES - Outgoing Mapper that maps outgoing Splunk Finding and Splunk Investigation fields for mirror-out functionality.

Scripts

SplunkConvertConsolidatedFindingsToMD

Added the SplunkConvertConsolidatedFindingsToMD script that renders Splunk Investigation consolidated findings as a Markdown table.

Related pull requests:
- 44242

Download

4.0.10 - 8994397 (May 13, 2026)

Scripts

SplunkAddComment

Updated the Docker image to: demisto/python3:3.12.13.8428455.

SplunkShowDrilldown

Updated the Docker image to: demisto/python3:3.12.13.8428455.

SplunkAddNote

Updated the Docker image to: demisto/python3:3.12.13.8428455.

SplunkConvertNotesToTable

Updated the Docker image to: demisto/python3:3.12.13.8428455.

SplunkConvertCommentsToTable

Updated the Docker image to: demisto/python3:3.12.13.8428455.

SplunkShowIdentity

Updated the Docker image to: demisto/python3:3.12.13.8428455.

SplunkShowAsset

Updated the Docker image to: demisto/python3:3.12.13.8428455.

Related pull requests:
- 44128

Download

4.0.9 - 8960961 (May 12, 2026)

Integrations

SplunkPy

Updated the Docker image to: demisto/splunksdk-py3:1.0.0.8198656.

Related pull requests:
- 44108

Download

4.0.8 - 8727847 (May 4, 2026)

Integrations

SplunkPy v2

Added support for the finding_time argument in the splunk-finding-event-edit command, fixing an issue that caused the command to fail.

Related pull requests:
- 44145

Download

4.0.7 - 8382811 (April 20, 2026)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43976

Download

4.0.6 - 8195766 (April 12, 2026)

Integrations

SplunkPy v2

Fixed an issue where splunk-finding-event-edit failed.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.7241125.

Related pull requests:
- 43717

Download

4.0.5 - 7843807 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

4.0.4 - 7001339 (February 3, 2026)

Integrations

SplunkPy

Fixed an issue where the fetch incidents did not work as expected after performing a reset last run when enrichment was configured.
Updated the splunk-search command to return a warning message when search results exceeded recommended size limits.

SplunkPy v2

Updated the splunk-search command to return a warning message when search results exceeded recommended size limits.

Related pull requests:
- 42432

Download

4.0.3 - 6580350 (January 6, 2026)

Splunk

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

4.0.2 - 6462993 (December 28, 2025)

Integrations

SplunkPy

Documentation and metadata improvements.

SplunkPy v2

Documentation and metadata improvements.

Playbooks

Splunk Indicator Hunting

Updated the Splunk Indicator Hunting playbook to include SplunkPy v2 as an optional SIEM integration.

Related pull requests:
- 42365

Download

4.0.1 - 6341494 (December 18, 2025)

Integrations

SplunkPy

Improved the splunk-get-indexes command to support retrieving non-local indexes.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.5493343.

SplunkPy v2

Improved the splunk-get-indexes command to support retrieving non-local indexes.
Added the Unique ID Fields parameter to help prevent duplicate incident IDs.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.5493343.

Related pull requests:
- 42242

Download

4.0.0 - 6283053 (December 15, 2025)

Incident Fields

New: Splunk Dest Risk Object Type
New: Splunk Dest Risk Score
New: Splunk Disposition
New: Splunk Drilldown
New: Splunk Security Domain
New: Splunk Sensitivity
New: Splunk Status
New: Splunk Urgency
New: Splunk Notes

Incident Types

New: Splunk Finding

Integrations

New: SplunkPy v2

Added the SplunkPy v2 integration, designed to provide compatibility for Splunk ES version 8.2 and higher.

Layouts

New: Splunk Finding

Mappers

New: Splunk Finding - Incoming Mapper

Maps Splunk Finding incoming fields.

New: Splunk Finding - Outgoing Mapper

Maps Splunk Finding outgoing fields for mirror-out functionality.

Scripts

New: SplunkAddNote

Added the SplunkAddNote script to add notes to Splunk findings.

New: SplunkConvertNotesToTable

Added the SplunkConvertNotesToTable script to convert Splunk notes into a MD table format.

SplunkShowDrilldown

Maintenance and stability improvements.

Related pull requests:
- 42115
- 42242

Download

3.3.8 - 6238358 (December 11, 2025)

Scripts

SplunkShowIdentity

Updated the Docker image to: demisto/python3:3.12.12.6204436.

SplunkShowAsset

Updated the Docker image to: demisto/python3:3.12.12.6204436.

Related pull requests:
- 42247

Download

3.3.7 - 6197444 (December 8, 2025)

Integrations

SplunkPy

Fixed an issue in drilldown search queries that occurred when the Fetch Events query parameter included a "fillnull" command.

Related pull requests:
- 41938

Download

3.3.6 - 6138854 (December 4, 2025)

Integrations

SplunkPy

Fixed an issue where duplicate incidents could occur during daylight saving time transitions.

Related pull requests:
- 41971

Download

3.3.5 - 5717993 (November 3, 2025)

Scripts

SplunkAddComment

Updated the Docker image to: demisto/python3:3.12.12.5490952.

SplunkShowDrilldown

Updated the Docker image to: demisto/python3:3.12.12.5490952.

SplunkConvertCommentsToTable

Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 41760

Download

3.3.4 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

3.3.3 - 5538136 (October 23, 2025)

Splunk

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.3.2 - R5469292 (October 20, 2025)

Integrations

SplunkPy

Fixed an issue where the SplunkPy integration failed to format mirrored comments with missing title or content fields.

Related pull requests:
- 41514

Download

3.3.1 - R5172709 (September 29, 2025)

Integrations

SplunkPy

Added support for splunk-job-share command that change job settings to share its results to all splunk users, and change its ttl.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.4887903.

Related pull requests:
- 41418
- 41374

Download

3.3.0 - 4915660 (September 17, 2025)

Integrations

SplunkPy

Added support for backward compatibility after upgrading to Splunk Enterprise Security version 8 and later. For information about new limitations in ES 8+, see the Splunk ES 8+ Upgrade Limitations section in the Integration README.

Related pull requests:
- 41127

Download

3.2.20 - 4881695 (September 14, 2025)

Integrations

SplunkPy

Fixed an issue where the splunk-submit-event-hec command failed due to incorrect identification of missing indexes.

Related pull requests:
- 41265

Download

3.2.19 - 4661576 (August 26, 2025)

Integrations

SplunkPy

Fixed an issue where duplicate entries were created during the mirror-in process.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.4418698.

Related pull requests:
- 41029

Download

3.2.18 - 4384561 (July 31, 2025)

Integrations

SplunkPy

Fixed an issue where the splunk-submit-event-hec command could fail with an 'index not found' error, even when a valid index was provided as an argument.

Related pull requests:
- 40745

Download

3.2.17 - R4246904 (July 21, 2025)

Splunk

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.2.16 - R3980324 (June 26, 2025)

Integrations

SplunkPy

Fixed an issue that prevented incidents from being closed in XSOAR when a notable was closed in Splunk while using mirror-in functionality.
Improved mirroring reliability by subtracting 60 seconds from the last update timestamp to account for indexing delays.

Related pull requests:
- 39610

Download

3.2.15 - 3849419 (June 18, 2025)

Scripts

SplunkShowAsset

Updated the Docker image to: demisto/python3:3.12.8.3296088.

SplunkShowIdentity

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40221

Download

4.2.1 - 10281058 (June 18, 2026)

Scripts

SplunkAddNote

Updated the Docker image to: demisto/python3:3.12.13.10116658.

SplunkConvertNotesToTable

Updated the Docker image to: demisto/python3:3.12.13.10116658.

SplunkConvertConsolidatedFindingsToMD

Updated the Docker image to: demisto/python3:3.12.13.10116658.

SplunkShowDrilldown

Updated the Docker image to: demisto/python3:3.12.13.10116658.

SplunkAddComment

Updated the Docker image to: demisto/python3:3.12.13.10116658.

SplunkConvertCommentsToTable

Updated the Docker image to: demisto/python3:3.12.13.10116658.

Related pull requests:
- 44716

Download

4.2.0 - 9839730 (June 3, 2026)

Integrations

SplunkPy v2

Added the splunk-investigation-create command, which creates a new investigation in Splunk Enterprise Security.
Added the splunk-investigation-list command, which lists investigations from Splunk Enterprise Security with support for filtering by investigation ID, status, owner, urgency, sensitivity, disposition, and create/update time ranges.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.8936013.

Related pull requests:
- 44364

Download

4.1.0 - 9069814 (May 17, 2026)

Classifiers

SplunkPyV2 - Classifier

Added the SplunkPyV2 - Classifier that classifies SplunkPy v2 events into Splunk Finding and Splunk Investigation incident types.

Incident Fields

Splunk Status
Updated the Splunk Status incident field to align with the new Splunk Investigation incident type.
Splunk Urgency
Updated the Splunk Urgency incident field to align with the new Splunk Investigation incident type.
Splunk Sensitivity
Updated the Splunk Sensitivity incident field to align with the new Splunk Investigation incident type.
Splunk Disposition
Updated the Splunk Disposition incident field to align with the new Splunk Investigation incident type.
Splunk Notes
Updated the Splunk Notes incident field to align with the new Splunk Investigation incident type.
Splunk Implicit Finding IDs
New: Added a new incident field - Splunk Implicit Finding IDs.
Splunk Excluded Finding IDs
New: Added a new incident field - Splunk Excluded Finding IDs.
Splunk Intermediate Finding IDs
New: Added a new incident field - Splunk Intermediate Finding IDs.
Splunk Risk Object
New: Added a new incident field - Splunk Risk Object.
Splunk Incident Origin
New: Added a new incident field - Splunk Incident Origin.
Splunk Investigation GUID
New: Added a new incident field - Splunk Investigation GUID.
Splunk Investigation ID
New: Added a new incident field - Splunk Investigation ID.
Splunk Investigation Name
New: Added a new incident field - Splunk Investigation Name.
Splunk Investigation Type
New: Added a new incident field - Splunk Investigation Type.
Splunk Incident IDs
New: Added a new incident field - Splunk Incident IDs.
Splunk ES Event Type
New: Added a new incident field - Splunk ES Event Type.
Splunk Consolidated Findings
New: Added a new incident field - Splunk Consolidated Findings.

Incident Types

Splunk Investigation
New: Added a new incident type - Splunk Investigation for Splunk Mission Control investigations ingested by SplunkPy v2.

Integrations

SplunkPy v2

Added support for fetching Splunk Mission Control investigations.
Added the Maximum investigations per fetch parameter.
Added the Event types to fetch parameter.
Added the First fetch timestamp (Investigations) parameter.
Added the Investigations fetch query parameter.
Added the splunk-update-investigation command.

Mappers

Splunk ES - Incoming Mapper

Added the Splunk ES - Incoming Mapper that maps incoming Splunk Finding and Splunk Investigation fields.

Splunk ES - Outgoing Mapper

Added the Splunk ES - Outgoing Mapper that maps outgoing Splunk Finding and Splunk Investigation fields for mirror-out functionality.

Scripts

SplunkConvertConsolidatedFindingsToMD

Added the SplunkConvertConsolidatedFindingsToMD script that renders Splunk Investigation consolidated findings as a Markdown table.

Related pull requests:
- 44242

Download

4.0.10 - 8994397 (May 13, 2026)

Scripts

SplunkAddComment

Updated the Docker image to: demisto/python3:3.12.13.8428455.

SplunkShowDrilldown

Updated the Docker image to: demisto/python3:3.12.13.8428455.

SplunkAddNote

Updated the Docker image to: demisto/python3:3.12.13.8428455.

SplunkConvertNotesToTable

Updated the Docker image to: demisto/python3:3.12.13.8428455.

SplunkConvertCommentsToTable

Updated the Docker image to: demisto/python3:3.12.13.8428455.

SplunkShowIdentity

Updated the Docker image to: demisto/python3:3.12.13.8428455.

SplunkShowAsset

Updated the Docker image to: demisto/python3:3.12.13.8428455.

Related pull requests:
- 44128

Download

4.0.9 - 8960961 (May 12, 2026)

Integrations

SplunkPy

Updated the Docker image to: demisto/splunksdk-py3:1.0.0.8198656.

Related pull requests:
- 44108

Download

4.0.8 - 8727847 (May 4, 2026)

Integrations

SplunkPy v2

Added support for the finding_time argument in the splunk-finding-event-edit command, fixing an issue that caused the command to fail.

Related pull requests:
- 44145

Download

4.0.7 - 8382811 (April 20, 2026)

Splunk

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 43976

Download

4.0.6 - 8195766 (April 12, 2026)

Integrations

SplunkPy v2

Fixed an issue where splunk-finding-event-edit failed.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.7241125.

Related pull requests:
- 43717

Download

4.0.5 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

4.0.4 - 7001339 (February 3, 2026)

Integrations

SplunkPy

Fixed an issue where the fetch incidents did not work as expected after performing a reset last run when enrichment was configured.
Updated the splunk-search command to return a warning message when search results exceeded recommended size limits.

SplunkPy v2

Updated the splunk-search command to return a warning message when search results exceeded recommended size limits.

Related pull requests:
- 42432

Download

4.0.3 - 6580350 (January 6, 2026)

Splunk

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

4.0.2 - 6462993 (December 28, 2025)

Integrations

SplunkPy

Documentation and metadata improvements.

SplunkPy v2

Documentation and metadata improvements.

Playbooks

Splunk Indicator Hunting

Updated the Splunk Indicator Hunting playbook to include SplunkPy v2 as an optional SIEM integration.

Related pull requests:
- 42365

Download

4.0.1 - 6341494 (December 18, 2025)

Integrations

SplunkPy

Improved the splunk-get-indexes command to support retrieving non-local indexes.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.5493343.

SplunkPy v2

Improved the splunk-get-indexes command to support retrieving non-local indexes.
Added the Unique ID Fields parameter to help prevent duplicate incident IDs.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.5493343.

Related pull requests:
- 42242

Download

4.0.0 - 6283053 (December 15, 2025)

Incident Fields

New: Splunk Dest Risk Object Type
New: Splunk Dest Risk Score
New: Splunk Disposition
New: Splunk Drilldown
New: Splunk Security Domain
New: Splunk Sensitivity
New: Splunk Status
New: Splunk Urgency
New: Splunk Notes

Incident Types

New: Splunk Finding

Integrations

New: SplunkPy v2

Added the SplunkPy v2 integration, designed to provide compatibility for Splunk ES version 8.2 and higher.

Layouts

New: Splunk Finding

Mappers

New: Splunk Finding - Incoming Mapper

Maps Splunk Finding incoming fields.

New: Splunk Finding - Outgoing Mapper

Maps Splunk Finding outgoing fields for mirror-out functionality.

Scripts

New: SplunkAddNote

Added the SplunkAddNote script to add notes to Splunk findings.

New: SplunkConvertNotesToTable

Added the SplunkConvertNotesToTable script to convert Splunk notes into a MD table format.

SplunkShowDrilldown

Maintenance and stability improvements.

Related pull requests:
- 42115
- 42242

Download

3.3.8 - 6238358 (December 11, 2025)

Scripts

SplunkShowIdentity

Updated the Docker image to: demisto/python3:3.12.12.6204436.

SplunkShowAsset

Updated the Docker image to: demisto/python3:3.12.12.6204436.

Related pull requests:
- 42247

Download

3.3.7 - 6197444 (December 8, 2025)

Integrations

SplunkPy

Fixed an issue in drilldown search queries that occurred when the Fetch Events query parameter included a "fillnull" command.

Related pull requests:
- 41938

Download

3.3.6 - 6138854 (December 4, 2025)

Integrations

SplunkPy

Fixed an issue where duplicate incidents could occur during daylight saving time transitions.

Related pull requests:
- 41971

Download

3.3.5 - 5717993 (November 3, 2025)

Scripts

SplunkAddComment

Updated the Docker image to: demisto/python3:3.12.12.5490952.

SplunkShowDrilldown

Updated the Docker image to: demisto/python3:3.12.12.5490952.

SplunkConvertCommentsToTable

Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 41760

Download

3.3.4 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

3.3.3 - 5538136 (October 23, 2025)

Splunk

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.3.2 - R5469292 (October 20, 2025)

Integrations

SplunkPy

Fixed an issue where the SplunkPy integration failed to format mirrored comments with missing title or content fields.

Related pull requests:
- 41514

Download

3.3.1 - R5172709 (September 29, 2025)

Integrations

SplunkPy

Added support for splunk-job-share command that change job settings to share its results to all splunk users, and change its ttl.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.4887903.

Related pull requests:
- 41418
- 41374

Download

3.3.0 - 4915660 (September 17, 2025)

Integrations

SplunkPy

Added support for backward compatibility after upgrading to Splunk Enterprise Security version 8 and later. For information about new limitations in ES 8+, see the Splunk ES 8+ Upgrade Limitations section in the Integration README.

Related pull requests:
- 41127

Download

3.2.20 - 4881695 (September 14, 2025)

Integrations

SplunkPy

Fixed an issue where the splunk-submit-event-hec command failed due to incorrect identification of missing indexes.

Related pull requests:
- 41265

Download

3.2.19 - 4661576 (August 26, 2025)

Integrations

SplunkPy

Fixed an issue where duplicate entries were created during the mirror-in process.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.4418698.

Related pull requests:
- 41029

Download

3.2.18 - 4384561 (July 31, 2025)

Integrations

SplunkPy

Fixed an issue where the splunk-submit-event-hec command could fail with an 'index not found' error, even when a valid index was provided as an argument.

Related pull requests:
- 40745

Download

3.2.17 - R4246904 (July 21, 2025)

Splunk

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.2.16 - R3980324 (June 26, 2025)

Integrations

SplunkPy

Fixed an issue that prevented incidents from being closed in XSOAR when a notable was closed in Splunk while using mirror-in functionality.
Improved mirroring reliability by subtracting 60 seconds from the last update timestamp to account for indexing delays.

Related pull requests:
- 39610

Download

3.2.15 - 3849419 (June 18, 2025)

Scripts

SplunkShowAsset

Updated the Docker image to: demisto/python3:3.12.8.3296088.

SplunkShowIdentity

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40221

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	June 18, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.