Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Delay in running multiple playbooks on the same event- Is there some way to configure SOAR to run these 2 playbooks?

mladen_tomic
New Member
‎10-12-2022 01:56 PM

Two independent playbooks performing different automation tasks are triggered by the same event. The expectation is that both playbooks will start approximately at the same time however it was observed that in some cases they start anywhere between 10sec to 50sec apart.  Is there some way to configure SOAR to run these 2 playbooks synchronously?

 

First playbook start time:

2022-10-12T15:07:40.773325Z: Starting playbook 'core/SGs Link Verification (id: 121, version: 14, pyversion: 3, scm id: 10)' on event '1811' with playbook run id: 513, running as user '2' with scope 'new'

 

Second playbook start time:

2022-10-12T15:08:32.483185Z: Starting playbook 'core/Limit SGs Run Time (id: 122, version: 10, pyversion: 3, scm id: 10)' on event '1811' with playbook run id: 514, running as user '2' with scope 'new'

 

 

 

 

Labels (2)
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎10-13-2022 01:21 AM

@mladen_tomic are the both playbooks set to active or called from a "Parent" at the same time?

If you are setting them both active I would just look to call them both at the same time in a single, parent playbook as they will definitely both trigger at the same time if done like this and then you also only have 1 active playbook instead of 2 to manage! You can toggle a switch to make them syncronous too which means they won't continue down the playbook logic until they are complete, and if necessary you can use a join on the downstream block to make sure both playbooks complete before continuing. 

-- Hope this helped! Happy SOARing! If this solved your issue please mark as a solution --

0 Karma
Reply

mladen_tomic
New Member
‎10-19-2022 12:34 PM

@phanTom 

2nd playbook is checking 1st playbook's run time and it terminates it if goes over threshold.  So they they cannot be in one parent playbook.

0 Karma
Reply
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...