Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The visual editor for classic playbooks is now removed. Convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:

Determine your playbook flow in

The order in which you arrange the blocks and lines in your playbook determine the playbook flow.

Process playbook blocks serially

Serial processing means playbook blocks are performed in the order they are arranged.

This screenshot shows a playbook with the following blocks: Start, geolocate IP, lookup IP, and End.

In this example, the blocks perform as described:

  1. A geolocate ip is performed on a source IP address.
  2. When the geolocate ip action is finished, a lookup ip performs.

Use serial processing when there must be a specific order to the operations, such as when a downstream block depends on the results from an upstream block.

Processing playbook blocks in parallel

You can also wire blocks to process in parallel, as shown in the following example.

This screenshot shows a playbook with a Start block branching into geolocate IP and lookup IP blocks. Both geolocate IP and lookup IP blocks then go to a single End block.

In this case, the geolocate ip and lookup ip actions perform simultaneously, and either action can finish first. You can wire blocks in this manner when you have no dependencies on the completion of either block, or if there are no dependencies between the blocks themselves.

Arrange playbook blocks

Arrange, or rearrange the playbook flow by moving playbook blocks. You can arrange playbook blocks in the following ways:

  • Individual blocks: Select and drag a single block and drop it in a new location.
  • Multiple blocks: Hold the Command or Ctrl key and select multiple blocks. Then drag them as a group and drop them in a new location.
  • All playbook blocks: Select anywhere on the canvas and drag all of the contents of a playbook to a new location on the canvas.
Last modified on 20 February, 2025
Automate responses with Splunk Enterprise Security playbook blocks   Repeat actions with logic loops

This documentation applies to the following versions of Splunk® SOAR (Cloud): current

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters