When the Splunk App is used to ingest data from Splunk Enterprise, the events data is packed in one string. To run actions on the events, the events must be normalized (individual fields mapped within Splunk SOAR). By creating a normalize artifact playbook and setting it active, every new event that is ingested is normalized automatically.

By default, the automation user lacks artifact permissions. Before creating the playbook, you must grant permissions to the automation user.