Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Delay in running multiple playbooks on the same event- Is there some way to configure SOAR to run these 2 playbooks?

mladen_tomic
Engager
‎10-12-2022 01:56 PM

Two independent playbooks performing different automation tasks are triggered by the same event. The expectation is that both playbooks will start approximately at the same time however it was observed that in some cases they start anywhere between 10sec to 50sec apart.  Is there some way to configure SOAR to run these 2 playbooks synchronously?

 

First playbook start time:

2022-10-12T15:07:40.773325Z: Starting playbook 'core/SGs Link Verification (id: 121, version: 14, pyversion: 3, scm id: 10)' on event '1811' with playbook run id: 513, running as user '2' with scope 'new'

 

Second playbook start time:

2022-10-12T15:08:32.483185Z: Starting playbook 'core/Limit SGs Run Time (id: 122, version: 10, pyversion: 3, scm id: 10)' on event '1811' with playbook run id: 514, running as user '2' with scope 'new'

 

 

 

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mladen_tomic
Engager
‎10-19-2022 12:34 PM

@phanTom 

2nd playbook is checking 1st playbook's run time and it terminates it if goes over threshold.  So they they cannot be in one parent playbook.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎10-13-2022 01:21 AM

@mladen_tomic are the both playbooks set to active or called from a "Parent" at the same time?

If you are setting them both active I would just look to call them both at the same time in a single, parent playbook as they will definitely both trigger at the same time if done like this and then you also only have 1 active playbook instead of 2 to manage! You can toggle a switch to make them syncronous too which means they won't continue down the playbook logic until they are complete, and if necessary you can use a join on the downstream block to make sure both playbooks complete before continuing. 

-- Hope this helped! Happy SOARing! If this solved your issue please mark as a solution --

0 Karma
Reply
Solved! Jump to solution
Solution

mladen_tomic
Engager
‎10-19-2022 12:34 PM

@phanTom 

2nd playbook is checking 1st playbook's run time and it terminates it if goes over threshold.  So they they cannot be in one parent playbook.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...