Run a playbook in
Analysts can use the
/playbook command to run a playbook from the command line in .
To run a playbook from the command line, you must supply the playbook_id or playbook_name and the scope. A playbook_name consists of a repository, followed by a slash ( / ), and the name of the playbook.
You can get a playbook_id or playbook_name by looking up the playbook from Main Menu > Playbooks, and clicking the playbook name from the list. The ID is the number in the playbook URL. See the following example:
Or you can use the REST API to query
/rest/playbook. See Query for Data in REST API Reference for .
Scope is one of the following values:
new- Run the playbook for only artifacts added to the container since the last time the playbook was run.
all- Run the playbook against all artifacts in the container.
<artifact ID>- Run the playbook for either a specific artifact or a list of artifacts.
Example using the playbook ID
/playbook 1 new
Example using the playbook name
/playbook local/example_playbook all
You can also supply lists for IDs or scope to run multiple playbooks, to run a playbook for multiple specified artifacts or scopes, or multiple playbooks for multiple specified artifacts.
Example of multiple specified artifacts
/playbook 1 ["41", "43", "45"]
This example runs playbook 1, for artifact IDs 41, 43, and 45 in the container.
Example of multiple playbooks
/playbook ["1", "2", "3"] new
This example runs playbooks 1, 2, and 3 for new artifacts in the container.
Example of multiple playbooks and multiple scopes
/playbook ["1", "2"] ["new", "all"]
The example runs playbooks 1 and 2 for both the new and all scope.
Run an action in
Add a note in
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7