Splunk® Phantom

Use Splunk Phantom

Download manual as PDF

Download topic as PDF

Run a playbook in Splunk Phantom

Analysts can use the /playbook command to run a playbook from the command line in Splunk Phantom.

To run a playbook from the command line, you must supply the playbook_id or playbook_name and the scope. A playbook_name consists of a repository, followed by a slash ( / ), and the name of the playbook.

You can get a playbook_id or playbook_name by looking up the playbook from Main Menu > Playbooks, and clicking the playbook name from the list. The ID is the number in the playbook URL. See the following example:

https://<phantom.example.com/playbook/1

Or you can use the REST API to query /rest/playbook. See Query for Data in Splunk Phantom REST API Reference.

Scope is one of the following values:

  • new - Run the playbook for only artifacts added to the container since the last time the playbook was run.
  • all - Run the playbook against all artifacts in the container.
  • <artifact ID> - Run the playbook for either a specific artifact or a list of artifacts.

Example using the playbook ID

/playbook 1 new

Example using the playbook name

/playbook local/example_playbook all

You can also supply lists for IDs or scope to run multiple playbooks, to run a playbook for multiple specified artifacts or scopes, or multiple playbooks for multiple specified artifacts.

Example of multiple specified artifacts

/playbook 1 ["41", "43", "45"]

This example runs playbook 1, for artifact IDs 41, 43, and 45 in the container.

Example of multiple playbooks

/playbook ["1", "2", "3"] new

This example runs playbooks 1, 2, and 3 for new artifacts in the container.

Example of multiple playbooks and multiple scopes

/playbook ["1", "2"] ["new", "all"]

The example runs playbooks 1 and 2 for both the new and all scope.

Last modified on 21 January, 2020
PREVIOUS
Run an action in Splunk Phantom
  NEXT
Add a note in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom: 4.8, 4.9


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters