Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I unable to save Phantom Playbook?

lynnn_
Loves-to-Learn Everything
‎11-07-2022 07:13 AM

Hi, I am using the phantom ova to run my Phantom instance. I have just managed to run my playbooks when I previously tested it 8 hours ago. However upon creating a new simple playbook and running the previously created playbook, I get the following error:

Error updating playbook.<br/>cannot mmap an empty file

 

Hence I am unable to save any progress on any playbooks now.

I had tried search online for solutions but am unable to do so. I had come across an article (i forgot the link) that had stated the commands /opt/phantom/bin/stop_phantom.sh and /opt/phantom/bin/start_phantom.sh to restart the phantom ova instance however it is not having any effect. I attempted to restart the phantom service a few times, and restarted the vm a few times, but it does not seem to work. I then attempted to delete the VM from disk and reimport it, and the playbooks work fine until after a while and the cycle repeats itself... While reimporting the vm "works", it is troublesome to reconfigure my current settings on the reimported instance every time I encounter this error.

Is there a better solution to this?

 

lynnn__1-1667833578650.png

As seen from the image, this 2nd playbook is a simple one, and the first playbook one I could run is also similar. Both playbooks have been configured and saved before I saved the virtualbox vm state as I switched to other matters, and when I resume the vm, I'll get this error. Please help, thank you very much!

Labels (1)
Labels
0 Karma
Reply

sd1
New Member
‎01-03-2023 08:27 AM

Where you ever able to solve this issue? I am running into the same thing. One day I created a basic playbook to block an incoming IP. It worked fine. The next day I tried to add some more actions (create Jira ticket), and now it wont let me save changes and says "cannot mmap to an empty file". Not sure why I am getting this error. 

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎01-03-2023 08:30 AM

@sd1 any chance you left it long enough to be affected by the system time out settings (Inactivity/Default)?

I have seen this happen before and the only way to save it was to use the "save as" option, save under a different name and then delete the old/original and rename the new one to the original name. 

I hope this helped! Happy SOARing!

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...