Splunk® Phantom (Legacy)

Use Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Run a playbook in

Analysts can use the /playbook command to run a playbook from the command line in .

To run a playbook from the command line, you must supply the playbook_id or playbook_name and the scope. A playbook_name consists of a repository, followed by a slash ( / ), and the name of the playbook.

You can get a playbook_id or playbook_name by looking up the playbook from Main Menu > Playbooks, and clicking the playbook name from the list. The ID is the number in the playbook URL. See the following example:


Or you can use the REST API to query /rest/playbook. See Query for Data in REST API Reference for .

Scope is one of the following values:

  • new - Run the playbook for only artifacts added to the container since the last time the playbook was run.
  • all - Run the playbook against all artifacts in the container.
  • <artifact ID> - Run the playbook for either a specific artifact or a list of artifacts.

Example using the playbook ID

/playbook 1 new

Example using the playbook name

/playbook local/example_playbook all

You can also supply lists for IDs or scope to run multiple playbooks, to run a playbook for multiple specified artifacts or scopes, or multiple playbooks for multiple specified artifacts.

Example of multiple specified artifacts

/playbook 1 ["41", "43", "45"]

This example runs playbook 1, for artifact IDs 41, 43, and 45 in the container.

Example of multiple playbooks

/playbook ["1", "2", "3"] new

This example runs playbooks 1, 2, and 3 for new artifacts in the container.

Example of multiple playbooks and multiple scopes

/playbook ["1", "2"] ["new", "all"]

The example runs playbooks 1 and 2 for both the new and all scope.

Last modified on 07 September, 2021
Run an action in   Add a note in

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters