Splunk SOAR (f.k.a. Phantom)

Phantom Runner number of suggestions


Our Phantom's DECIDED process often crashes for performance reasons.

We suspect this is caused by the low number of runners.


So if phantom server is 16 cores 256GB of memory, how many Runners should we set here?

@PwC-Kimmy I don't think there is a direct mapping to resource vs runners. It's more of a incremental implement and check.

The Docs about the runners states the below which I think is relevant:

Increase the number of runners by one, or one for each python environment and measure performance before adding additional runners. Repeat this until you either achieve the performance gains desired, reach the maximum number of runners for each python environment, or encounter resource limits.

When you increase the number of Python runners you can see a decrease in the length of time it takes to complete a playbook. Many deployments can expect to see gains by adding between one and four more of each type of Python runner, with gains from adding additional Python runners tapering off after a total of five of each Python runner type.

