Splunk® Phantom

Use Splunk Phantom

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Create cases in Splunk Phantom

Once you have at least one case workbook, you can create cases to use that workbook.

Cases only contain the items from the workbook at the time the case was created. If you create a case from a workbook, and then later add a new phase to the workbook, the new phase is not available to the existing workbook. Only new cases created after the workbook is changed will have the new phase available to use. The case was a copy at the time it was created. There is no live link to the workbook. Items deleted from the workbook aren't deleted from cases created before the workbook change.

Promote a container to a case

Create a case by promoting a container.

  1. From the main menu, select Sources, and then select a container label.
  2. Click the suitcase (the suitcase icon) icon.
  3. In the Promote to Case window, select the new workbook you want to use on this case. If you already added a workbook to the container, you do not have the option to select a workbook. The menu is inactive with the text "Keep current workbook".
  4. Click Save.

A case looks similar to its container and has all of the same functions. The colored block with the word Case indicates that it is a case.

Select the Workbook tab to see the tasks defined in case workbook. The blue highlight indicates the current page and shows task completion progress within each phase.

Demote a case to change it back to a container

Perform the following steps to change a case back to a container:

  1. In Splunk Phantom, navigate to the case you want to demote.
  2. Click the suitcase (the suitcase icon) icon.

Delete a case in Splunk Phantom

Perform the following steps to delete a case:

  1. In the main menu, select Cases.
  2. Select the cases you want to delete.
  3. Click Delete.
  4. Click Delete again to confirm that you want to delete the selected cases.
Last modified on 25 February, 2020
PREVIOUS
Overview of cases
  NEXT
Add objects to a case in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom: 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters