Splunk SOAR

Delay in running multiple playbooks on the same event- Is there some way to configure SOAR to run these 2 playbooks?

mladen_tomic
Engager

Two independent playbooks performing different automation tasks are triggered by the same event. The expectation is that both playbooks will start approximately at the same time however it was observed that in some cases they start anywhere between 10sec to 50sec apart.  Is there some way to configure SOAR to run these 2 playbooks synchronously?

 

First playbook start time:

2022-10-12T15:07:40.773325Z: Starting playbook 'core/SGs Link Verification (id: 121, version: 14, pyversion: 3, scm id: 10)' on event '1811' with playbook run id: 513, running as user '2' with scope 'new'

 

Second playbook start time:

2022-10-12T15:08:32.483185Z: Starting playbook 'core/Limit SGs Run Time (id: 122, version: 10, pyversion: 3, scm id: 10)' on event '1811' with playbook run id: 514, running as user '2' with scope 'new'

 

 

 

 

Labels (2)
0 Karma
1 Solution

mladen_tomic
Engager

@phanTom 

2nd playbook is checking 1st playbook's run time and it terminates it if goes over threshold.  So they they cannot be in one parent playbook.

View solution in original post

0 Karma

phanTom
SplunkTrust
SplunkTrust

@mladen_tomic are the both playbooks set to active or called from a "Parent" at the same time?

If you are setting them both active I would just look to call them both at the same time in a single, parent playbook as they will definitely both trigger at the same time if done like this and then you also only have 1 active playbook instead of 2 to manage! You can toggle a switch to make them syncronous too which means they won't continue down the playbook logic until they are complete, and if necessary you can use a join on the downstream block to make sure both playbooks complete before continuing. 

-- Hope this helped! Happy SOARing! If this solved your issue please mark as a solution --

0 Karma

mladen_tomic
Engager

@phanTom 

2nd playbook is checking 1st playbook's run time and it terminates it if goes over threshold.  So they they cannot be in one parent playbook.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...