Splunk® SOAR (On-premises)

Use Splunk SOAR (On-premises)

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

View the list of configured playbooks in

The playbooks list contains all your currently available playbooks and significant metadata about those playbooks. Use the playbooks list to sort, filter, and manage your playbooks.

To open the playbooks list, perform the following steps:

  1. From the Home menu, select Playbooks.
  2. Select the Playbooks tab if it's not already open.
  3. (Optional) Use the search field to find specific playbooks. Searches are case-insensitive and partial-word matches are supported. This search does not support booleans, such as AND, NOT, or OR. For additional information on finding existing playbooks, see Find existing playbooks for your apps in Build Playbooks with the Playbook Editor.

Use the buttons to reorder the playbooks on this page, configure source control, import playbooks, or create new playbooks:

To help improve Splunk SOAR (On-premises), Splunk collects playbook names, playbook descriptions, and custom-function names in telemetry, so don't include any personally identifiable or sensitive information in playbook names, playbook descriptions, and custom-function names.

Button Description
The icon to reorder playbooks. Set the order to run playbooks with a status of Active.
  • Playbooks with a status of Inactive are not run. When you change a playbook's status to Inactive, you are prompted to cancel the running playbook.
  • The next playbook in the list starts once the preceding playbook's on_start() function has completed.
  • If you want one playbook to depend on another playbook finishing completely before starting, use the phantom.playbook() function instead of the playbook list. See playbook in the Python Playbook API Reference for .
The icon to update the playbook from source control. stores playbooks in Git repositories. See Configure a source code repository for your playbooks in Administer . Click this button to open the Update from Source Control dialog.
  1. Select a repository from the drop-down list in the Source to update from field.
  2. Select either Force Update or Preserve State
    • Force Update treats the remote repository as authoritative. Using this overwrites any local changes to playbooks.
    • Preserve State retains the local metadata for changes to playbooks. Playbooks from the community repository always have a status of Inactive. If you have set the status of a community playbook to Active locally, updating from the community repository will set its status to Inactive unless you select Preserve State.
  3. Click Update.
The icon to manage source control. Manage source control settings. See Configure a source code repository for your playbooks in Administer .
The icon to import a playbook. Import a playbook that was exported from another instance of .
  1. Click this button to import a playbook.
  2. In the Source to update field, select a repository where you want to write the imported playbook.
  3. (Optional) Click Force Update to overwrite existing versions of the same playbook.
  4. Drag and drop a compressed playbook in .tgz format, or click and navigate to the playbook.
  5. Click Upload.
The icon to add a playbook. Open the Visual Playbook Editor to create a new playbook. See Create a new playbook in in Build Playbooks with the Playbook Editor.

Select the vertical ellipsis (⋮) icon to toggle the display of the available columns in the playbook list. Items marked with a check mark (✓) are displayed in the playbook list. A horizontal scroll bar appears at the bottom of the playbook list, if needed.

Edit, delete, export, or copy a playbook

Click the name of a playbook to open it in the Visual Playbook Editor. For more information, see Create a new playbook in using the visual playbook editor in Build Playbooks with the Playbook Editor.

Check the checkbox next to the playbook name to select one or more playbooks. After playbooks are selected, you can perform the following actions:

Button Action
Edit Set the properties of the selected playbooks, not the playbooks themselves. Set the status, logging mode, safe mode, which labels the playbook operates on, the category, and tags by selecting the property value you want from the drop-down list.
Delete Delete the selected playbooks. A dialog box asks you to confirm your choice.
Export Download the playbook as a .tgz extension archive. You can export only one playbook at a time.
Copy Save the playbook to a repository that you have configured, such as Git. You can only copy one playbook at a time.
Last modified on 06 November, 2023
PREVIOUS
Search within
  NEXT
Create Executive Summary reports and view all reports in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters