Splunk Tech Talks
Deep-dives for technical practitioners.

Understanding Phantom’s Join Logic

Splunk Employee
Splunk Employee

View our Tech Talk: Security Edition, Understanding Phantom’s Join Logic. 


Playbooks allow analysts to automate everyday security tasks and save time. Oftentimes, these playbooks are simple: run a query or complete a single action. However, playbooks can also be very complex. As that complexity grows, there’s a need for more advanced features of playbook design to be considered to ensure they run effectively.


One of the ways to do this is to take a look at how parallel action blocks are set to re-join each other to continue processing. Have your complex playbooks ever stopped running unexpectedly after parallel single actions? That’s probably because of your ‘join’ settings. This talk will explain how Phantom’s 'join' logic works, and tips for writing effective and error-free playbooks.

Tune in to learn:

  • What may cause a playbook to stop running unexpectedly and how to fix it
  • How to use the join logic effectively 
  • How to properly use Phantom join logic in a live demo
Tags (2)
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...