Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I unable to save Phantom Playbook?

lynnn_
Loves-to-Learn Everything
‎11-07-2022 07:13 AM

Hi, I am using the phantom ova to run my Phantom instance. I have just managed to run my playbooks when I previously tested it 8 hours ago. However upon creating a new simple playbook and running the previously created playbook, I get the following error:

Error updating playbook.<br/>cannot mmap an empty file

 

Hence I am unable to save any progress on any playbooks now.

I had tried search online for solutions but am unable to do so. I had come across an article (i forgot the link) that had stated the commands /opt/phantom/bin/stop_phantom.sh and /opt/phantom/bin/start_phantom.sh to restart the phantom ova instance however it is not having any effect. I attempted to restart the phantom service a few times, and restarted the vm a few times, but it does not seem to work. I then attempted to delete the VM from disk and reimport it, and the playbooks work fine until after a while and the cycle repeats itself... While reimporting the vm "works", it is troublesome to reconfigure my current settings on the reimported instance every time I encounter this error.

Is there a better solution to this?

 

lynnn__1-1667833578650.png

As seen from the image, this 2nd playbook is a simple one, and the first playbook one I could run is also similar. Both playbooks have been configured and saved before I saved the virtualbox vm state as I switched to other matters, and when I resume the vm, I'll get this error. Please help, thank you very much!

Labels (1)
Labels
0 Karma
Reply

sd1
New Member
‎01-03-2023 08:27 AM

Where you ever able to solve this issue? I am running into the same thing. One day I created a basic playbook to block an incoming IP. It worked fine. The next day I tried to add some more actions (create Jira ticket), and now it wont let me save changes and says "cannot mmap to an empty file". Not sure why I am getting this error. 

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎01-03-2023 08:30 AM

@sd1 any chance you left it long enough to be affected by the system time out settings (Inactivity/Default)?

I have seen this happen before and the only way to save it was to use the "save as" option, save under a different name and then delete the old/original and rename the new one to the original name. 

I hope this helped! Happy SOARing!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...