Splunk SOAR

Delay in running multiple playbooks on the same event- Is there some way to configure SOAR to run these 2 playbooks?

mladen_tomic
Engager

Two independent playbooks performing different automation tasks are triggered by the same event. The expectation is that both playbooks will start approximately at the same time however it was observed that in some cases they start anywhere between 10sec to 50sec apart.  Is there some way to configure SOAR to run these 2 playbooks synchronously?

 

First playbook start time:

2022-10-12T15:07:40.773325Z: Starting playbook 'core/SGs Link Verification (id: 121, version: 14, pyversion: 3, scm id: 10)' on event '1811' with playbook run id: 513, running as user '2' with scope 'new'

 

Second playbook start time:

2022-10-12T15:08:32.483185Z: Starting playbook 'core/Limit SGs Run Time (id: 122, version: 10, pyversion: 3, scm id: 10)' on event '1811' with playbook run id: 514, running as user '2' with scope 'new'

 

 

 

 

Labels (2)
0 Karma
1 Solution

mladen_tomic
Engager

@phanTom 

2nd playbook is checking 1st playbook's run time and it terminates it if goes over threshold.  So they they cannot be in one parent playbook.

View solution in original post

0 Karma

phanTom
SplunkTrust
SplunkTrust

@mladen_tomic are the both playbooks set to active or called from a "Parent" at the same time?

If you are setting them both active I would just look to call them both at the same time in a single, parent playbook as they will definitely both trigger at the same time if done like this and then you also only have 1 active playbook instead of 2 to manage! You can toggle a switch to make them syncronous too which means they won't continue down the playbook logic until they are complete, and if necessary you can use a join on the downstream block to make sure both playbooks complete before continuing. 

-- Hope this helped! Happy SOARing! If this solved your issue please mark as a solution --

0 Karma

mladen_tomic
Engager

@phanTom 

2nd playbook is checking 1st playbook's run time and it terminates it if goes over threshold.  So they they cannot be in one parent playbook.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...