- Scott Odle [email protected]
- Daniel Pierson [email protected]
https://conf.splunk.com/watch/conf-online.html?search=obs1425b#/
This playbook demonstrates the ability of Splunk SOAR to automatically handle a "Disk Full" episode from Splunk ITSI. It is designed to work with your orchestration layer (for example, Puppet or Ansible) to run commands on the affected host, to troubleshoot the alert condition.
- Compile the playbook into a tarball, by running:
make playbook
- In the SOAR UI, select "Playbooks" from the main menu and click the "Import playbook" button.
- Choose the
build/obs1425b.tgz
file that was generated by the build script, and upload it. Choose the source repo that you want to import it to (probablylocal
, if this is a new SOAR instance).
- Find the newly-imported playbook in the list and open it. You can view this playbook in the Visual Playbook Editor, and adapt it to fit your needs.