Splunk

Details
Content
Dependencies
Version History

Fetch events as incidents and search Splunk

This content pack runs queries on Splunk servers and fetches events from both Splunk Enterprise Security (ES) and non-ES environments.

What does this pack do?

This pack includes two integrations designed for different Splunk ES versions:

SplunkPy

The primary integration for Splunk ES versions up to 8.1, which automatically fetches notable events from Splunk along with their context data. The integration provides the analyst with comprehensive incident information directly in the XSOAR/XSIAM console.

SplunkPy v2

Designed for Splunk ES version 8.2 and higher, supporting the new Splunk Finding Events architecture.

Using the commands in these integrations, you can leverage the Splunk API capabilities, such as:

Running SPL (Splunk Search Processing Language) queries
Managing events
Working with KV store collections (create, search, update, delete)
Enriching events with Asset, Identity, and Drilldown data
Managing indexes and submitting events
Bi-directional mirroring between Splunk and Cortex XSOAR

Note:
When mirroring or fetching incidents between Splunk and Cortex XSOAR, you need to map Splunk users to Cortex XSOAR users.

This content pack runs queries on Splunk servers and fetches events from both Splunk Enterprise Security (ES) and non-ES environments.

What does this pack do?

This pack includes two integrations designed for different Splunk ES versions:

SplunkPy

SplunkPy v2

Designed for Splunk ES version 8.2 and higher, supporting the new Splunk Finding Events architecture.

Using the commands in these integrations, you can leverage the Splunk API capabilities, such as:

Running SPL (Splunk Search Processing Language) queries
Managing events
Working with KV store collections (create, search, update, delete)
Enriching events with Asset, Identity, and Drilldown data
Managing indexes and submitting events
Bi-directional mirroring between Splunk and Cortex

Note:
When mirroring or fetching incidents between Splunk and Cortex, you need to map Splunk users to Cortex XSOAR users.

Automations

Name	Description
SplunkShowAsset	Automation to display asset objects from Splunk.
SplunkAddComment	Use this script to add a comment with a tag (the "Comment tag to Splunk" defined in the instance configuration) as an entry in Cortex XSOAR, which will then be mirrored as a comment to a Splunk issue. This script should be run within an incident.
SplunkShowIdentity	Automation to display identity objects from Splunk.
SplunkPySearch	Deprecated. No available replacement. Run a query through Splunk and format the results as a table.
SplunkConvertCommentsToTable	This script is used to convert Splunk comments to a table.
SplunkAddNote	Use this script to add a note with a tag (the "Note tag to Splunk" defined in the instance configuration) as an entry in Cortex XSOAR, which will then be mirrored as a note to a Splunk finding. This script should be run within an incident.
SplunkShowDrilldown	Automation to display drilldown search results from Splunk.
SplunkConvertNotesToTable	This script is used to convert Splunk notes to a table.

Classifiers

Name	Description
Splunk - Classifier	Classifies Splunk events.
Splunk Finding - Outgoing Mapper	Maps Splunk Finding outgoing fields for mirror-out functionality.
Splunk - Notable Generic Outgoing Mapper	Maps Splunk ES outgoing fields.
Splunk Finding - Incoming Mapper	Maps Splunk Finding incoming fields.
Splunk - Notable Generic Incoming Mapper	Maps Splunk ES incoming fields.
Splunk - Incoming Mapper	Maps Splunk logs fields.

Incident Fields

Name	Description
Splunk Sensitivity	The sensitivity from Splunk.
Splunk Notable Reviewer	The reviewer of the notable.
Notable - ID	The ID of the notable
Notable Drilldown	The result of the drilldown search.
Splunk Dest Risk Score	The destination risk score from Splunk.
Notable Status	The Splunk notable status. Can be one of the following New, In Progress, Pending, Resolved, Closed
Splunk Urgency	The urgency from Splunk.
Successful Asset Enrichment	Indicates whether the asset enrichment was successful.
Splunk Status	The status from Splunk.
Splunk Comments	the notable comments
Splunk Security Domain	The security domain from Splunk.
Notable Owner	The owner of the notable.
Successful Drilldown Enrichment	Indicates whether the drilldown enrichment was successful.
Splunk Notes	the Splunk Notes
Notable Urgency	The urgency of the notable.
Splunk Dest Risk Object Type	The destination risk object type from Splunk.
Splunk Drilldown	The drilldown searches from Splunk.
Splunk Disposition	The disposition from Splunk.
Successful Identity Enrichment	Indicates whether the identity enrichment was successful.

Incident Types

Name	Description
Splunk Finding
Splunk Notable Generic

Integrations

Name	Description
SplunkPy v2	Run queries on Splunk and fetch Finding Events (Splunk ES 8.2+).
SplunkPy	Run queries on Splunk and fetch Notable Events (Splunk ES versions up to 8.2).

Layouts

Name	Description
Splunk Finding
Splunk Notable Generic

Playbooks

Name	Description
Splunk Indicator Hunting	This playbook queries Splunk for indicators such as file hashes, IP addresses, domains, or urls. It outputs detected users, ip addresses, and hostnames related to the indicators.
Splunk Generic	This is a generic playbook to be executed for the Splunk Notable Generic incident type. The playbook performs all the common parts of the investigation, including notifying the SOC, enriching the data for indicators and users, calculating the severity, assigning the incident, notifying the SIEM admin for false positives and more.

Automations

Name	Description
SplunkShowIdentity	Automation to display identity objects from Splunk.
SplunkAddNote	Use this script to add a note with a tag (the "Note tag to Splunk" defined in the instance configuration) as an entry in Cortex, which will then be mirrored as a note to a Splunk finding. This script should be run within an incident.
SplunkPySearch	Deprecated. No available replacement. Run a query through Splunk and format the results as a table.
SplunkConvertNotesToTable	This script is used to convert Splunk notes to a table.
SplunkShowDrilldown	Automation to display drilldown search results from Splunk.
SplunkAddComment	Use this script to add a comment with a tag (the "Comment tag to Splunk" defined in the instance configuration) as an entry in Cortex, which will then be mirrored as a comment to a Splunk issue. This script should be run within an incident.
SplunkShowAsset	Automation to display asset objects from Splunk.
SplunkConvertCommentsToTable	This script is used to convert Splunk comments to a table.

Classifiers

Name	Description
Splunk - Classifier	Classifies Splunk events.
Splunk - Notable Generic Outgoing Mapper	Maps Splunk ES outgoing fields.
Splunk - Incoming Mapper	Maps Splunk logs fields.
Splunk - Notable Generic Incoming Mapper	Maps Splunk ES incoming fields.
Splunk Finding - Outgoing Mapper	Maps Splunk Finding outgoing fields for mirror-out functionality.
Splunk Finding - Incoming Mapper	Maps Splunk Finding incoming fields.

Incident Fields

Name	Description
Splunk Dest Risk Object Type	The destination risk object type from Splunk.
Splunk Security Domain	The security domain from Splunk.
Splunk Disposition	The disposition from Splunk.
Splunk Comments	the notable comments
Notable Drilldown	The result of the drilldown search.
Notable - ID	The ID of the notable
Notable Status	The Splunk notable status. Can be one of the following New, In Progress, Pending, Resolved, Closed
Splunk Notes	the Splunk Notes
Notable Owner	The owner of the notable.
Splunk Drilldown	The drilldown searches from Splunk.
Successful Identity Enrichment	Indicates whether the identity enrichment was successful.
Notable Urgency	The urgency of the notable.
Splunk Dest Risk Score	The destination risk score from Splunk.
Splunk Sensitivity	The sensitivity from Splunk.
Splunk Notable Reviewer	The reviewer of the notable.
Splunk Status	The status from Splunk.
Splunk Urgency	The urgency from Splunk.
Successful Drilldown Enrichment	Indicates whether the drilldown enrichment was successful.
Successful Asset Enrichment	Indicates whether the asset enrichment was successful.

Incident Types

Name	Description
Splunk Notable Generic
Splunk Finding

Integrations

Name	Description
SplunkPy	Run queries on Splunk and fetch Notable Events (Splunk ES versions up to 8.2).
SplunkPy v2	Run queries on Splunk and fetch Finding Events (Splunk ES 8.2+).

Playbooks

Name	Description
Splunk Indicator Hunting	This playbook queries Splunk for indicators such as file hashes, IP addresses, domains, or urls. It outputs detected users, ip addresses, and hostnames related to the indicators.
Splunk Generic	This is a generic playbook to be executed for the Splunk Notable Generic alert type. The playbook performs all the common parts of the investigation, including notifying the SOC, enriching the data for indicators and users, calculating the severity, assigning the alert, notifying the SIEM admin for false positives and more.

Required Content Packs (9)

Pack Name	Pack By
Access Investigation	By: Cortex XSOAR
Asset	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Identity	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Phishing	By: Cortex XSOAR
PhishingAlerts	By: Cortex XSOAR

All level dependencies (12)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Asset	By: Cortex XSOAR
Access Investigation	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Identity	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

4.0.3 - 6580350 (January 6, 2026)

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

4.0.2 - 6462993 (December 28, 2025)

Integrations

SplunkPy

Documentation and metadata improvements.

SplunkPy v2

Documentation and metadata improvements.

Playbooks

Splunk Indicator Hunting

Updated the Splunk Indicator Hunting playbook to include SplunkPy v2 as an optional SIEM integration.

Related pull requests:
- 42365

Download

4.0.1 - 6341494 (December 18, 2025)

Integrations

SplunkPy

Improved the splunk-get-indexes command to support retrieving non-local indexes.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.5493343.

SplunkPy v2

Improved the splunk-get-indexes command to support retrieving non-local indexes.
Added the Unique ID Fields parameter to help prevent duplicate incident IDs.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.5493343.

Related pull requests:
- 42242

Download

4.0.0 - 6283053 (December 15, 2025)

Incident Fields

New: Splunk Dest Risk Object Type
New: Splunk Dest Risk Score
New: Splunk Disposition
New: Splunk Drilldown
New: Splunk Security Domain
New: Splunk Sensitivity
New: Splunk Status
New: Splunk Urgency
New: Splunk Notes

Incident Types

New: Splunk Finding

Integrations

New: SplunkPy v2

Added the SplunkPy v2 integration, designed to provide compatibility for Splunk ES version 8.2 and higher.

Layouts

New: Splunk Finding

Mappers

New: Splunk Finding - Incoming Mapper

Maps Splunk Finding incoming fields.

New: Splunk Finding - Outgoing Mapper

Maps Splunk Finding outgoing fields for mirror-out functionality.

Scripts

New: SplunkAddNote

Added the SplunkAddNote script to add notes to Splunk findings.

New: SplunkConvertNotesToTable

Added the SplunkConvertNotesToTable script to convert Splunk notes into a MD table format.

SplunkShowDrilldown

Maintenance and stability improvements.

Related pull requests:
- 42115
- 42242

Download

3.3.8 - 6238358 (December 11, 2025)

Scripts

SplunkShowIdentity

Updated the Docker image to: demisto/python3:3.12.12.6204436.

SplunkShowAsset

Updated the Docker image to: demisto/python3:3.12.12.6204436.

Related pull requests:
- 42247

Download

3.3.7 - 6197444 (December 8, 2025)

Integrations

SplunkPy

Fixed an issue in drilldown search queries that occurred when the Fetch Events query parameter included a "fillnull" command.

Related pull requests:
- 41938

Download

3.3.6 - 6138854 (December 4, 2025)

Integrations

SplunkPy

Fixed an issue where duplicate incidents could occur during daylight saving time transitions.

Related pull requests:
- 41971

Download

3.3.5 - 5717993 (November 3, 2025)

Scripts

SplunkAddComment

Updated the Docker image to: demisto/python3:3.12.12.5490952.

SplunkShowDrilldown

Updated the Docker image to: demisto/python3:3.12.12.5490952.

SplunkConvertCommentsToTable

Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 41760

Download

3.3.4 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

3.3.3 - 5538136 (October 23, 2025)

Splunk

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.3.2 - R5469292 (October 20, 2025)

Integrations

SplunkPy

Fixed an issue where the SplunkPy integration failed to format mirrored comments with missing title or content fields.

Related pull requests:
- 41514

Download

3.3.1 - R5172709 (September 29, 2025)

Integrations

SplunkPy

Added support for splunk-job-share command that change job settings to share its results to all splunk users, and change its ttl.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.4887903.

Related pull requests:
- 41418
- 41374

Download

3.3.0 - 4915660 (September 17, 2025)

Integrations

SplunkPy

Added support for backward compatibility after upgrading to Splunk Enterprise Security version 8 and later. For information about new limitations in ES 8+, see the Splunk ES 8+ Upgrade Limitations section in the Integration README.

Related pull requests:
- 41127

Download

3.2.20 - 4881695 (September 14, 2025)

Integrations

SplunkPy

Fixed an issue where the splunk-submit-event-hec command failed due to incorrect identification of missing indexes.

Related pull requests:
- 41265

Download

3.2.19 - 4661576 (August 26, 2025)

Integrations

SplunkPy

Fixed an issue where duplicate entries were created during the mirror-in process.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.4418698.

Related pull requests:
- 41029

Download

3.2.18 - 4384561 (July 31, 2025)

Integrations

SplunkPy

Fixed an issue where the splunk-submit-event-hec command could fail with an 'index not found' error, even when a valid index was provided as an argument.

Related pull requests:
- 40745

Download

3.2.17 - R4246904 (July 21, 2025)

Splunk

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.2.16 - R3980324 (June 26, 2025)

Integrations

SplunkPy

Fixed an issue that prevented incidents from being closed in XSOAR when a notable was closed in Splunk while using mirror-in functionality.
Improved mirroring reliability by subtracting 60 seconds from the last update timestamp to account for indexing delays.

Related pull requests:
- 39610

Download

3.2.15 - 3849419 (June 18, 2025)

Scripts

SplunkShowAsset

Updated the Docker image to: demisto/python3:3.12.8.3296088.

SplunkShowIdentity

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40221

Download

3.2.14 - 3769759 (June 12, 2025)

Integrations

SplunkPy

Documentation and metadata improvements.

Related pull requests:
- 40195

Download

3.2.13 - 3617165 (June 3, 2025)

Integrations

SplunkPy

Updated the Docker image to: demisto/splunksdk-py3:1.0.0.3534043.

Related pull requests:
- 40133

Download

3.2.12 - 3534539 (May 25, 2025)

Integrations

SplunkPy

Added support for Advanced: Time type to use when fetching events parameter that defines which timestamp will be used to filter the events:
creation time: filters based on when the event actually occurred (current behavior).
index time (beta): beta feature – filters based on when the event was ingested into splunk.
this option is still in testing and may not behave as expected in all scenarios.
when using this mode, the parameter Fetch backwards window for the events occurrence time (minutes) should be set to `0``, as indexing time ensures there are no delay-based gaps.

Related pull requests:
- 39860

Download

3.2.11 - 3526238 (May 25, 2025)

Scripts

SplunkConvertCommentsToTable

Updated the Docker image to: demisto/python3:3.12.8.3296088.

SplunkAddComment

Updated the Docker image to: demisto/python3:3.12.8.3296088.

SplunkShowDrilldown

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 39931

Download

3.2.10 - R3392471 (May 13, 2025)

Integrations

SplunkPy

Fixed an issue causing the splunk-search command to fail with UnicodeDecodeError.

Related pull requests:
- 39691

Download

3.2.9 - 3223000 (April 24, 2025)

Integrations

SplunkPy

Added support for the splunk_job_status command to get a list of job IDs instead of a single value.

Related pull requests:
- 39685

Download

3.2.8 - 3089368 (April 8, 2025)

Integrations

SplunkPy

logging improvements.

Related pull requests:
- 39504

Download

3.2.7 - 3042633 (April 2, 2025)

Integrations

SplunkPy

Metadata and documentation improvements.

Scripts

SplunkShowDrilldown

Metadata and documentation improvements.

SplunkShowAsset

Metadata and documentation improvements.

SplunkConvertCommentsToTable

Metadata and documentation improvements.

SplunkAddComment

Metadata and documentation improvements.

SplunkShowIdentity

Metadata and documentation improvements.

Related pull requests:
- 39241

Download

3.2.6 - 2989425 (March 26, 2025)

Integrations

SplunkPy

Documentation improvements.

Related pull requests:
- 39196

Download

3.2.5 - 2763721 (March 12, 2025)

Splunk

Ensure that mirroring fields only appear in XSOAR integrations.

Related pull requests:
- 38998

Download

3.2.4 - 2659951 (March 5, 2025)

Integrations

SplunkPy

Documentation and metadata improvements.

Related pull requests:
- 38897

Download

3.2.3 - 2589718 (February 28, 2025)

Integrations

SplunkPy

Fixed an issue where the Mirror In mechanism has stopped when get-modified-remote-data command failed on error.

Related pull requests:
- 38796

Download

3.2.2 - 2553674 (February 24, 2025)

Integrations

SplunkPy

Fixed an issue in the splunk-job-create command where the query argument incorrectly appended a search string when the query began with a pipe ("|").
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.2074112.

Related pull requests:
- 38732

Download

3.2.1 - 2327094 (February 9, 2025)

Integrations

SplunkPy

Fixed an issue where the parsing of the parameter Server URL wasn't aligned in the integration.

Related pull requests:
- 38375

Download

3.2.0 - 2119627 (February 2, 2025)

Integrations

SplunkPy

Updated the mirror-in mechanism and query to improve performance.

Related pull requests:
- 37904

Download

3.1.51 - R2040490 (January 22, 2025)

Splunk

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 38083

Download

3.1.50 - 1953876 (January 9, 2025)

Integrations

SplunkPy

Updated the Docker image to: demisto/splunksdk-py3:1.0.0.117329.

Related pull requests:
- 38035

Download

4.0.3 - 6580350 (January 6, 2026)

Splunk

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 42564

Download

4.0.2 - 6462993 (December 28, 2025)

Integrations

SplunkPy

Documentation and metadata improvements.

SplunkPy v2

Documentation and metadata improvements.

Playbooks

Splunk Indicator Hunting

Updated the Splunk Indicator Hunting playbook to include SplunkPy v2 as an optional SIEM integration.

Related pull requests:
- 42365

Download

4.0.1 - 6341494 (December 18, 2025)

Integrations

SplunkPy

Improved the splunk-get-indexes command to support retrieving non-local indexes.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.5493343.

SplunkPy v2

Improved the splunk-get-indexes command to support retrieving non-local indexes.
Added the Unique ID Fields parameter to help prevent duplicate incident IDs.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.5493343.

Related pull requests:
- 42242

Download

4.0.0 - 6283053 (December 15, 2025)

Incident Fields

New: Splunk Dest Risk Object Type
New: Splunk Dest Risk Score
New: Splunk Disposition
New: Splunk Drilldown
New: Splunk Security Domain
New: Splunk Sensitivity
New: Splunk Status
New: Splunk Urgency
New: Splunk Notes

Incident Types

New: Splunk Finding

Integrations

New: SplunkPy v2

Added the SplunkPy v2 integration, designed to provide compatibility for Splunk ES version 8.2 and higher.

Layouts

New: Splunk Finding

Mappers

New: Splunk Finding - Incoming Mapper

Maps Splunk Finding incoming fields.

New: Splunk Finding - Outgoing Mapper

Maps Splunk Finding outgoing fields for mirror-out functionality.

Scripts

New: SplunkAddNote

Added the SplunkAddNote script to add notes to Splunk findings.

New: SplunkConvertNotesToTable

Added the SplunkConvertNotesToTable script to convert Splunk notes into a MD table format.

SplunkShowDrilldown

Maintenance and stability improvements.

Related pull requests:
- 42115
- 42242

Download

3.3.8 - 6238358 (December 11, 2025)

Scripts

SplunkShowIdentity

Updated the Docker image to: demisto/python3:3.12.12.6204436.

SplunkShowAsset

Updated the Docker image to: demisto/python3:3.12.12.6204436.

Related pull requests:
- 42247

Download

3.3.7 - 6197444 (December 8, 2025)

Integrations

SplunkPy

Fixed an issue in drilldown search queries that occurred when the Fetch Events query parameter included a "fillnull" command.

Related pull requests:
- 41938

Download

3.3.6 - 6138854 (December 4, 2025)

Integrations

SplunkPy

Fixed an issue where duplicate incidents could occur during daylight saving time transitions.

Related pull requests:
- 41971

Download

3.3.5 - 5717993 (November 3, 2025)

Scripts

SplunkAddComment

Updated the Docker image to: demisto/python3:3.12.12.5490952.

SplunkShowDrilldown

Updated the Docker image to: demisto/python3:3.12.12.5490952.

SplunkConvertCommentsToTable

Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 41760

Download

3.3.4 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

3.3.3 - 5538136 (October 23, 2025)

Splunk

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 41627

Download

3.3.2 - R5469292 (October 20, 2025)

Integrations

SplunkPy

Fixed an issue where the SplunkPy integration failed to format mirrored comments with missing title or content fields.

Related pull requests:
- 41514

Download

3.3.1 - R5172709 (September 29, 2025)

Integrations

SplunkPy

Added support for splunk-job-share command that change job settings to share its results to all splunk users, and change its ttl.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.4887903.

Related pull requests:
- 41418
- 41374

Download

3.3.0 - 4915660 (September 17, 2025)

Integrations

SplunkPy

Added support for backward compatibility after upgrading to Splunk Enterprise Security version 8 and later. For information about new limitations in ES 8+, see the Splunk ES 8+ Upgrade Limitations section in the Integration README.

Related pull requests:
- 41127

Download

3.2.20 - 4881695 (September 14, 2025)

Integrations

SplunkPy

Fixed an issue where the splunk-submit-event-hec command failed due to incorrect identification of missing indexes.

Related pull requests:
- 41265

Download

3.2.19 - 4661576 (August 26, 2025)

Integrations

SplunkPy

Fixed an issue where duplicate entries were created during the mirror-in process.
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.4418698.

Related pull requests:
- 41029

Download

3.2.18 - 4384561 (July 31, 2025)

Integrations

SplunkPy

Fixed an issue where the splunk-submit-event-hec command could fail with an 'index not found' error, even when a valid index was provided as an argument.

Related pull requests:
- 40745

Download

3.2.17 - R4246904 (July 21, 2025)

Splunk

Documentation and metadata improvements.

Related pull requests:
- 40478

Download

3.2.16 - R3980324 (June 26, 2025)

Integrations

SplunkPy

Fixed an issue that prevented incidents from being closed in XSOAR when a notable was closed in Splunk while using mirror-in functionality.
Improved mirroring reliability by subtracting 60 seconds from the last update timestamp to account for indexing delays.

Related pull requests:
- 39610

Download

3.2.15 - 3849419 (June 18, 2025)

Scripts

SplunkShowAsset

Updated the Docker image to: demisto/python3:3.12.8.3296088.

SplunkShowIdentity

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40221

Download

3.2.14 - 3769759 (June 12, 2025)

Integrations

SplunkPy

Documentation and metadata improvements.

Related pull requests:
- 40195

Download

3.2.13 - 3617165 (June 3, 2025)

Integrations

SplunkPy

Updated the Docker image to: demisto/splunksdk-py3:1.0.0.3534043.

Related pull requests:
- 40133

Download

3.2.12 - 3534539 (May 25, 2025)

Integrations

SplunkPy

Added support for Advanced: Time type to use when fetching events parameter that defines which timestamp will be used to filter the events:
creation time: filters based on when the event actually occurred (current behavior).
index time (beta): beta feature – filters based on when the event was ingested into splunk.
this option is still in testing and may not behave as expected in all scenarios.
when using this mode, the parameter Fetch backwards window for the events occurrence time (minutes) should be set to `0``, as indexing time ensures there are no delay-based gaps.

Related pull requests:
- 39860

Download

3.2.11 - 3526238 (May 25, 2025)

Scripts

SplunkConvertCommentsToTable

Updated the Docker image to: demisto/python3:3.12.8.3296088.

SplunkAddComment

Updated the Docker image to: demisto/python3:3.12.8.3296088.

SplunkShowDrilldown

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 39931

Download

3.2.10 - R3392471 (May 13, 2025)

Integrations

SplunkPy

Fixed an issue causing the splunk-search command to fail with UnicodeDecodeError.

Related pull requests:
- 39691

Download

3.2.9 - 3223000 (April 24, 2025)

Integrations

SplunkPy

Added support for the splunk_job_status command to get a list of job IDs instead of a single value.

Related pull requests:
- 39685

Download

3.2.8 - 3089368 (April 8, 2025)

Integrations

SplunkPy

logging improvements.

Related pull requests:
- 39504

Download

3.2.7 - 3042633 (April 2, 2025)

Integrations

SplunkPy

Metadata and documentation improvements.

Scripts

SplunkShowDrilldown

Metadata and documentation improvements.

SplunkShowAsset

Metadata and documentation improvements.

SplunkConvertCommentsToTable

Metadata and documentation improvements.

SplunkAddComment

Metadata and documentation improvements.

SplunkShowIdentity

Metadata and documentation improvements.

Related pull requests:
- 39241

Download

3.2.6 - 2989425 (March 26, 2025)

Integrations

SplunkPy

Documentation improvements.

Related pull requests:
- 39196

Download

3.2.5 - 2763721 (March 12, 2025)

Splunk

Ensure that mirroring fields only appear in XSOAR integrations.

Related pull requests:
- 38998

Download

3.2.4 - 2659951 (March 5, 2025)

Integrations

SplunkPy

Documentation and metadata improvements.

Related pull requests:
- 38897

Download

3.2.3 - 2589718 (February 28, 2025)

Integrations

SplunkPy

Fixed an issue where the Mirror In mechanism has stopped when get-modified-remote-data command failed on error.

Related pull requests:
- 38796

Download

3.2.2 - 2553674 (February 24, 2025)

Integrations

SplunkPy

Fixed an issue in the splunk-job-create command where the query argument incorrectly appended a search string when the query began with a pipe ("|").
Updated the Docker image to: demisto/splunksdk-py3:1.0.0.2074112.

Related pull requests:
- 38732

Download

3.2.1 - 2327094 (February 9, 2025)

Integrations

SplunkPy

Fixed an issue where the parsing of the parameter Server URL wasn't aligned in the integration.

Related pull requests:
- 38375

Download

3.2.0 - 2119627 (February 2, 2025)

Integrations

SplunkPy

Updated the mirror-in mechanism and query to improve performance.

Related pull requests:
- 37904

Download

3.1.51 - R2040490 (January 22, 2025)

Splunk

Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.

Related pull requests:
- 38083

Download

3.1.50 - 1953876 (January 9, 2025)

Integrations

SplunkPy

Updated the Docker image to: demisto/splunksdk-py3:1.0.0.117329.

Related pull requests:
- 38035

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	January 7, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.