Splunk SOAR

Why am I unable to save Phantom Playbook?

lynnn_
Loves-to-Learn Everything

Hi, I am using the phantom ova to run my Phantom instance. I have just managed to run my playbooks when I previously tested it 8 hours ago. However upon creating a new simple playbook and running the previously created playbook, I get the following error:

Error updating playbook.<br/>cannot mmap an empty file

 

Hence I am unable to save any progress on any playbooks now.

I had tried search online for solutions but am unable to do so. I had come across an article (i forgot the link) that had stated the commands /opt/phantom/bin/stop_phantom.sh and /opt/phantom/bin/start_phantom.sh to restart the phantom ova instance however it is not having any effect. I attempted to restart the phantom service a few times, and restarted the vm a few times, but it does not seem to work. I then attempted to delete the VM from disk and reimport it, and the playbooks work fine until after a while and the cycle repeats itself... While reimporting the vm "works", it is troublesome to reconfigure my current settings on the reimported instance every time I encounter this error.

Is there a better solution to this?

 

lynnn__1-1667833578650.png

As seen from the image, this 2nd playbook is a simple one, and the first playbook one I could run is also similar. Both playbooks have been configured and saved before I saved the virtualbox vm state as I switched to other matters, and when I resume the vm, I'll get this error. Please help, thank you very much!

Labels (1)
0 Karma

sd1
New Member

Where you ever able to solve this issue? I am running into the same thing. One day I created a basic playbook to block an incoming IP. It worked fine. The next day I tried to add some more actions (create Jira ticket), and now it wont let me save changes and says "cannot mmap to an empty file". Not sure why I am getting this error. 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@sd1 any chance you left it long enough to be affected by the system time out settings (Inactivity/Default)?

I have seen this happen before and the only way to save it was to use the "save as" option, save under a different name and then delete the old/original and rename the new one to the original name. 

I hope this helped! Happy SOARing!

0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...