Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to schedule a Phantom playbook to run at specific intervals?

AlexBryant
Path Finder
‎12-03-2019 10:21 AM

I have completed Phantom playbook that I need to run every 5 minutes. I know that the Timer app can be used to schedule playbook execution by generating events on a preset schedule, but how would a set up two separate schedules for two separate playbooks - say, one that runs every 5 minutes and one that runs hourly? Do I set up two Timer assets and somehow add identifying characteristics to differentiate the events that each asset will generate?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phantom_mhike
SplunkTrust
SplunkTrust
‎12-03-2019 10:59 AM

In the past I have created timers for these that generate containers and each of the timer assets apply a label to the containers that indicate their schedule ie. "scheduled-hourly" for a timer that generates every hour or "scheduled-daily", "scheduled-5min" etc. The different labels make it easy to apply playbooks to them as well as identify where the containers came from when looking at the analyst queue.

View solution in original post

Reply
Solved! Jump to solution
Solution

phantom_mhike
SplunkTrust
SplunkTrust
‎12-03-2019 10:59 AM

In the past I have created timers for these that generate containers and each of the timer assets apply a label to the containers that indicate their schedule ie. "scheduled-hourly" for a timer that generates every hour or "scheduled-daily", "scheduled-5min" etc. The different labels make it easy to apply playbooks to them as well as identify where the containers came from when looking at the analyst queue.

Reply
Solved! Jump to solution

AlexBryant
Path Finder
‎12-04-2019 08:26 AM

That worked! It took a few minutes to figure out how to implement it, so I'll post the details for others. Go into Administration --> Event Settings --> Label Settings. Add a new label with a meaningful name like "timer_5_minutes". In the Timer app, add a new asset, and in the ingest settings, set it to run on the appropriate schedule (in this case, every 5 minutes), and set the 'Label To Apply' to be the label added above in administration. Now, there's an asset in Timer that will run every 5 minutes and create an event called timer_5_minutes. In your playbook settings, set the "Operates On" value to also be "timer_5_minutes"...the playbook will now run every time the Timer app creates one of these events, and will execute according to your schedule.

Reply
Solved! Jump to solution

satishclarios
New Member
‎05-28-2020 08:44 AM

@AlexBryant Thank you for detail explanation

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...