Synchronize workbooks across multiple Splunk Phantom servers
Keep all your Splunk Phantom workbooks synchronized in environments where you have multiple Splunk Phantom servers, with multiple workbooks on each server.
What you need to be able to manage workbooks across multiple Splunk Phantom servers
Verify the following before you use the Splunk Phantom App for Splunk to manage your Splunk Phantom workbooks:
- Make sure you have connected your Splunk Phantom servers and have designated one default server. See Steps to connect the Splunk platform with Splunk Phantom or Splunk SOAR.
- Use only one instance of the Splunk Phantom Add-on for Splunk to manage workbooks across multiple Splunk Phantom servers. It's OK if the Splunk Phantom Add-on for Splunk is installed in a search head cluster where the search heads will share a single configuration file for the workbook synchronization.
- Check your workbook names and make sure they do not contain any special characters. Use only alphanumeric characters a-z, A-Z, 0-9, along with dashes (-) and underscores (_). Do not use any other characters.
- On all Splunk Phantom servers where you have existing workbooks, backup your existing workbooks by using
page_size=0
to query the /rest/workbook_template, /rest/workbook_phase_template, and /rest/workbook_task_template REST endpoints. For example, to backup the workbooks on the Splunk Phantom server with the IP address 10.1.2.3:https://10.1.2.3/rest/workbook_template?page_size=0 https://10.1.2.3/rest/workbook_phase_template?page_size=0 https://10.1.2.3/rest/workbook_task_template?page_size=0
See REST Workbook in the REST API Reference for Splunk Phantom manual. - In Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server or Splunk SOAR, you set up a new automation user to integrate Splunk Phantom servers with the Splunk platform. You must create a new role with delete privileges for Cases and Events and assign this role to that automation user. Without this permission, you will not be able to delete any workbooks.
- In Splunk Phantom or Splunk SOAR, select Administration from the main menu.
- Select User Management > Roles & Permissions.
- Click + Role to create a new role.
- Specify a name and description for the role, then click the Delete checkbox in the Cases and Events fields.
- Click Add Users to add this role to a user.
- In the Users field, click the drop-down list and select the automation user you created earlier.
- Click Add.
- Click Create Role.
- From the main menu, select User Management > Users and verify that your automation user has the new role associated with it.
Synchronize your workbooks for the first time
Perform the following tasks to synchronize your Splunk Phantom workbooks for the first time.
- Navigate to the Splunk Phantom App for Splunk on your Splunk platform.
- Click the Workbooks tab. The first time you access the page, no workbooks are listed.
- Click Sync Workbooks.
When you click Sync Workbooks for the first time, all workbooks across all connected Splunk Phantom servers are retrieved and listed on the page. For example, suppose we have three Splunk Phantom servers with the workbooks shown in the illustration below. There is a workbook named workbook1 on two of the servers.
After clicking on Sync Workbooks, all of the workbooks across all servers are retrieved and listed on the Workbooks tab, and all workbooks are made available on all Splunk Phantom servers.
Make changes to your workbooks or add new workbooks from the default Splunk Phantom server
Each time you click Sync Workbooks the Splunk Phantom App for Splunk does the following:
- Retrieve all workbooks from all connected Splunk Phantom servers.
- Push all workbooks to all connected Splunk Phantom servers.
When retrieving the workbooks from the Splunk Phantom servers, the version on the default server is used as the published version. When a workbook name is added for the first time, an underscore and version number are added to any workbooks with name conflicts across multiple Splunk Phantom servers. For example, workbook1 from the default server is propagated to the other Splunk Phantom servers. Since Server 2 also had a workbook with the same name, workbook1 on Server 2 is overwritten by workbook1 from Server 1. The workbook1 from Server 2 is renamed workbook1_1 and appears with a status of deleted in the Splunk Phantom App for Splunk, and does not appear on any Splunk Phantom servers. If you want to preserve the workbook that is now named workbook1_1 you can restore the workbook. After another sync, workbook1_1 will appear on all Splunk Phantom servers.
This is the reason why you should make edits to your workbooks only on the default server, and use the Splunk Phantom App for Splunk to synchronize all workbooks across your Splunk Phantom deployment.
Determine which workbooks are synchronized by deleting, restoring, or purging workbooks
You can manage your workbooks by selecting one of the following actions:
Option | Description |
---|---|
Delete | Delete the selected workbook from all Splunk Phantom servers. The workbook is still visible from the Splunk platform with a status of Deleted. You can restore this workbook by selecting the Restore option. |
Restore | Restore a deleted workbook. The workbook is restored on all Splunk Phantom servers. |
Purge | Delete the selected workbook from all Splunk Phantom servers and also do not display this workbook in the Splunk platform. Purged workbooks cannot be restored. |
If you want to delete any connected Splunk Phantom servers and the workbooks on that server, you must delete the workbooks before deleting the server.
Use adaptive response relay to send notable events from Splunk ES to Splunk Phantom or Splunk SOAR | Configure global field mappings |
This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.3
Feedback submitted, thanks!