Run a playbook in
Analysts can use the /playbook
command to run a playbook from the command line in .
To run a playbook from the command line, you must supply the playbook_id or playbook_name and the scope. A playbook_name consists of a repository, followed by a slash ( / ), and the name of the playbook.
You can get a playbook_id or playbook_name by looking up the playbook from Main Menu > Playbooks, and clicking the playbook name from the list. The ID is the number in the playbook URL. See the following example:
https://<phantom.example.com/playbook/1
Or you can use the REST API to query /rest/playbook
. See Query for Data in REST API Reference for .
Scope is one of the following values:
new
- Run the playbook for only artifacts added to the container since the last time the playbook was run.all
- Run the playbook against all artifacts in the container.<artifact ID>
- Run the playbook for either a specific artifact or a list of artifacts.
Example using the playbook ID
/playbook 1 new
Example using the playbook name
/playbook local/example_playbook all
You can also supply lists for IDs or scope to run multiple playbooks, to run a playbook for multiple specified artifacts or scopes, or multiple playbooks for multiple specified artifacts.
Example of multiple specified artifacts
/playbook 1 ["41", "43", "45"]
This example runs playbook 1, for artifact IDs 41, 43, and 45 in the container.
Example of multiple playbooks
/playbook ["1", "2", "3"] new
This example runs playbooks 1, 2, and 3 for new artifacts in the container.
Example of multiple playbooks and multiple scopes
/playbook ["1", "2"] ["new", "all"]
The example runs playbooks 1 and 2 for both the new and all scope.
Run an action in | Add a note in |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!