Splunk® SOAR (On-premises)

Build Playbooks with the Playbook Editor

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Find existing playbooks for your apps

Before you begin creating new playbooks from scratch, consider looking for existing playbooks that are similar to your use case that you might use as is, or as a base for a template you want to create. You can start with an existing playbook, from the community or from someone else in your organization and, if needed, modify a copy of it to suit your specific needs.

For any app installed in your instance, you can find a list of existing playbooks that are available in the community or are already configured in your environment. For example, if you use the MaxMind app for geolocation, you can view all of the existing playbooks associated with MaxMind. You can use one of the existing playbooks as is, or use it as a starting place so you don't have to create a playbook from scratch.

The Splunk community is a rich resource for shared playbooks. Using or starting with an existing playbook can save you time and effort.

Find associated playbooks

Playbooks are associated with various applications. You can search for existing playbooks based on the apps you have available in your system.

Before you begin

Make sure that you have installed any apps that you want to use with playbooks, so you an find all of the associated playbooks. For details on adding apps to your instance, see Add and configure apps and assets to provide actions in .

Find playbooks for your apps

To find playbooks associated with your installed apps, follow these steps:

  1. In , navigate to the Apps page.
  2. Find the app you want to work with. In the row for that app, select Associated Playbooks.
    A list of existing playbooks that work with that app display.
  3. Select the name of an existing playbook that you want to explore. The playbook opens in the Visual Playbook Editor.
  4. If you are missing configurations, a message appears in the upper corner of the screen under your username. Select View to make the necessary configurations. This process is described in Missing configurations in imported playbooks in the Export and import playbooks in article.
  5. To save a copy of the existing playbook, select the three dots in the upper corner of the screen and select Save as.
  6. You can use the existing playbook without making any changes or modify it to suit your organization's needs.
    To modify an existing playbook, see the instructions in the next articles in this section, starting with Create a new playbook in .

Find playbooks for specific apps

You might want to use playbooks for a specific app that is not necessarily one that you have already installed.

To find playbooks associated with other apps, follow these steps:

  1. In , navigate to the Playbooks page.
  2. In the table headings, select Apps Used. Either select from the list of installed apps shown or use the search box to enter the name of an installed app. The table displays only playbooks that use that app.
  3. Select the name of an existing playbook that you want to explore. The playbook opens in the Visual Playbook Editor.

Find playbooks by type

You can also use the filters on the Playbooks page to find categories of playbooks or specific playbooks. Filters are shown by an arrow icon next to a column heading. Actions with filters on the Playbooks page include:

  • Select the Status column arrow to sort all playbooks or to display playbooks with a certain status, Active, Inactive, or Draft
  • Select the Repo column arrow to sort all playbooks or to display playbooks within a certain repository, like Community, Local, or another defined repo.
  • Select the Type column arrow to sort all playbooks or to display playbooks that are either Automation or Input type.
Last modified on 30 November, 2023
Choose between playbooks and classic playbooks in   Create a new playbook in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters