Splunk® SOAR (On-premises)

Use Splunk SOAR (On-premises)

The visual editor for classic playbooks was removed from Splunk SOAR in release 6.4.0. Convert your classic playbooks to modern mode. Your classic playbooks will continue to run and you can view and edit them in the SOAR Python code editor.
For details, see:

Run a playbook in

Analysts can use the /playbook command to run a playbook from the command line in .

To run a playbook from the command line, you must supply the playbook_id or playbook_name and the scope. A playbook_name consists of a repository, followed by a slash ( / ), and the name of the playbook.

You can get a playbook_id or playbook_name by looking up the playbook from Main Menu > Playbooks, and clicking the playbook name from the list. The ID is the number in the playbook URL. See the following example: 

https://<phantom.example.com/playbook/1

Or you can use the REST API to query /rest/playbook. See Query for Data in REST API Reference for .

Scope is one of the following values:

  • new - Run the playbook for only artifacts added to the container since the last time the playbook was run.
  • all - Run the playbook against all artifacts in the container.
  • <artifact ID> - Run the playbook for either a specific artifact or a list of artifacts.

Example using the playbook ID 

/playbook 1 new

Example using the playbook name 

/playbook local/example_playbook all

You can also supply lists for IDs or scope to run multiple playbooks, to run a playbook for multiple specified artifacts or scopes, or multiple playbooks for multiple specified artifacts.

Example of multiple specified artifacts 

/playbook 1 ["41", "43", "45"]

This example runs playbook 1, for artifact IDs 41, 43, and 45 in the container.

Example of multiple playbooks 

/playbook ["1", "2", "3"] new

This example runs playbooks 1, 2, and 3 for new artifacts in the container.

Example of multiple playbooks and multiple scopes 

/playbook ["1", "2"] ["new", "all"]

The example runs playbooks 1 and 2 for both the new and all scope.

Playbooks interrupted by a system restart

If your system restarts while a playbook is running, the playbook run is cancelled. Any changes made by the playbook before the restart remain, and are not rolled back.

Last modified on 07 March, 2023
Run an action in   Add a note in

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1, 6.4.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters