Splunk® SOAR (On-premises)

Build Playbooks with the Playbook Editor

This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Run other playbooks inside your playbook in

You can configure your playbook to run another existing playbook. Call one playbook from another playbook to avoid having to copy and maintain code in different places. You can call a playbook from another playbook any number of times, up to 10 levels of recursion. For example, playbook A can be called by playbook B, which can be called by playbook C, and so on, for a maximum of 10 nested levels. However, there is no limit to the number of playbooks which can call playbook A, provided the calls are within 10 levels of recursion.

To configure your playbook to run another playbook:

  1. Drag and drop the half-circle icon attached to any existing block in the editor. Select a Playbook block from the menu that appears.
  2. In the Playbook field, select the playbook you want to run from the drop-down list. When you hover over a playbook, the repository the playbook is in, description, and parent playbooks, if any, are listed. You can select playbooks from the All Playbooks, Automation, or Input type playbook categories.
  3. (Optional) If you selected an Input type playbook, you can assign the inputs datapaths from the list. For more information on using an Input playbook as a sub-playbook, see Use an Input playbook as a sub-playbook.
  4. (Optional) Toggle the Synchronous switch on to make this playbook wait for the called playbook to complete running before continuing. If this switch is left off, the playbook finishes executing without waiting for the called playbook to complete.

You can also configure Advanced settings for a Playbook block. You can use Join Settings and Scope with a playbook block. For more information on these settings, see Advanced settings.

Playbooks differ from action blocks in the following ways:

  • The playbook continues to downstream blocks regardless of whether the called playbook is successful.
  • The called playbook doesn't return any values that are used in downstream blocks.
  • The called playbook doesn't determine the data set, and it operates on the container data with the scope inherited from the caller.
  • The called playbook runs independently from the caller. If you wire a series of playbooks to run, they are processed in parallel if the Synchronous switch is left off. See Determine your playbook flow in .

If you use the Scope advanced setting on a playbook block, it won't change the scope of a child playbook. Scope only affects the collected artifact data that is passed in as inputs to the child playbook and the collection occurs before the child playbook is run.

Last modified on 22 September, 2021
Add an action block to your playbook   Add custom code to your playbook with the code block

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters