Skip to main content

Hi Guys,

I am trying to integrate On prem Splunk which is hosted on AWS cloud. AWS team allowed communication between Chronicle SOAR (ingress and egress) IPs and Splunk search head public IP over port 8089. But still getting connectivity error:

Failed to connect to the Splunk - Ping server! Error is HTTPSConnectionPool(host='x.x.x.x', port=8089): Max retries exceeded with url: /services/search/jobs/export?output_mode=json (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7cce8a7c9710>: Failed to establish a new connection: [Errno 110] Connection timed out'))

From the network side, we see traffic accepted from SOAR egress IP but no traffic for ingress IP.

We want to integrate Splunk ES - Notable Events Connector to ingest notables.

Any help on this will be greatly appreciated.

@VictorSOAR


SOAR ingress IP shouldn't be used to communicate with QRadar. Ingress IP is only for SOAR UI access. 


> From the network side, we see traffic accepted from SOAR egress IP
It is a good sign. I would recommend you perform traffic capture next to QRadar to understand if traffic gets to QRadar (or maybe there's some additional firewall). 


Ideally, I recommend you use Remote Agent, which is intended for such cases when you need to connect to your network without exposing any ports or IPs. 

@VictorSOAR


SOAR ingress IP shouldn't be used to communicate with QRadar. Ingress IP is only for SOAR UI access. 


> From the network side, we see traffic accepted from SOAR egress IP
It is a good sign. I would recommend you perform traffic capture next to QRadar to understand if traffic gets to QRadar (or maybe there's some additional firewall). 


Ideally, I recommend you use Remote Agent, which is intended for such cases when you need to connect to your network without exposing any ports or IPs. 


Thanks @f3rz  for your response

Is it necessary to install the TA-Siemplify package on the Splunk search head? I am attempting to pull alerts and have observed environments where the TA-Siemplify app is not installed on Splunk, yet they successfully pull alerts into Chronicle SOAR.

Could there be any issues or limitations if we do not install the TA-Siemplify package on Splunk?

Is it necessary to install the TA-Siemplify package on the Splunk search head? I am attempting to pull alerts and have observed environments where the TA-Siemplify app is not installed on Splunk, yet they successfully pull alerts into Chronicle SOAR.

Could there be any issues or limitations if we do not install the TA-Siemplify package on Splunk?


TA-Siemplify app is necessary only if you want to use:


1. Pull method of collecting alerts utilising pull connector
2. Push method that will use SOAR API to create alerts directly in SOAR and does not require connector. 

For the rest of connectors and other integration components this application is not required, please see:
https://cloud.google.com/chronicle/docs/soar/marketplace-integrations/splunk

Thanks @f3rz , this answered my question perfectly!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.