Simplifying Automation with Splunk SOAR: Using Find Playbooks to Run Playbooks 

By Nathan Holloway, Security Automation Engineer

In traditional Splunk SOAR development, managing interconnected playbooks often leads to bloated, inflexible designs. A simple improvement—using Find Playbooks—can significantly streamline operations, reduce maintenance overhead, and improve agility in your automation workflows. 

Why Use Find Playbooks? 

The conventional method of orchestrating playbook execution involves calling child playbooks directly from a parent. While functional, this model quickly becomes unwieldy as your environment scales. 

Common challenges include: 

  • Massive “controller” playbooks that do little beyond calling other playbooks. 
  • Decision-tree sprawl, where you need to build complex logic just to choose which playbook to run. 
  • Ongoing maintenance headaches: Every time you create a new playbook, you have to manually add it to all relevant parent playbooks—opening the door to human error and missed use cases. 

This approach doesn’t scale well. It adds friction to playbook development, testing, and deployment. 

Enter: Find Playbooks 

Splunk SOAR’s Find Playbooks block allows you to search for and run playbooks dynamically based on metadata, such as tags, names, labels, or input specifications. This opens the door to a much more modular, automated design pattern. 

Benefits of Find Playbooks: 

  • Automatic discovery and execution: Tag a playbook (e.g., with “aux” or “phishing”) and it can be picked up dynamically. 
  • No updates to parent playbooks needed: Just tag your new playbook correctly and it will be included on the next execution. 
  • Clean separation of use cases: Run playbooks based on specific labels or inputs without cluttering your parent playbooks. 

This model allows for more agile development—teams can build, test, and deploy new playbooks with minimal coordination and no impact on existing logic. 

The Challenge: Interdependencies 

While powerful, Find Playbooks introduces a new challenge: playbook dependency handling. 

For example, if multiple auxiliary (aux) playbooks are running in parallel, but one depends on the output of another, you risk race conditions or incomplete data being used. Since Find Playbooks can trigger execution independently, there’s no native enforcement of execution order. 

The Solution: A Custom Function for Playbook Status Checking 

To solve this, you can build a custom function that checks the execution status of another playbook. 

How it works: 

  • Input the playbook name (in repo/name format) and container ID into the custom function. 
  • The function queries the platform for the status of that specific playbook—running, completed, or failed. 
  • Use Splunk SOAR’s built-in loop configuration in the block to repeatedly call the custom function until the desired status is met (e.g., status != running). 
  • Configure the loop to: 
  • Wait a specified number of seconds between iterations 
  • Set a maximum loop count 
  • Optionally cancel or fail gracefully after a timeout 

Example Use Case: 

If playbook_b depends on playbook_a finishing, add this check at the top of playbook_b. Once playbook_a is confirmed as completed (or failed), playbook_b proceeds. 

Putting It All Together 

Using this design pattern, each playbook remains self-contained. Any dependency logic is handled internally, without needing to update parent or sibling playbooks. 

Key advantages: 

  • Add new playbooks independently by tagging them appropriately. 
  • Enforce execution order only where necessary, using a reusable custom function. 
  • Scale your environment with minimal risk and low operational overhead. 

Once reviewed and deployed, the new playbook begins executing in production as soon as it meets your tagging/filter criteria—no coordination, no refactoring, no problem. 

Final Thoughts 

Find Playbooks unlock a modern, modular approach to playbook orchestration in Splunk SOAR. Combined with a simple status-checking mechanism for inter-playbook dependencies, you can drastically simplify your playbook architecture while increasing reliability and flexibility. 

Ready to modernize your Splunk SOAR playbooks?
TekStream’s automation experts can help you streamline your architecture, reduce maintenance overhead, and operationalize best practices like Find Playbooks across your environment. Connect with our specialists today.

About the Author

Nathan Holloway is an accomplished IT professional with over 20 years of experience spanning data center operations, virtualization, automation, and security orchestration.

Beginning his career in data centers, Nathan honed his expertise in hardware and Linux systems administration during the first five years of his journey. Transitioning into virtualization, he spent the next five years working with VMware, where he served as a Tier 2 and Tier 3 engineer. During this time, he mastered Ruby and PowerShell, implemented Puppet to manage configurations for over 5,000 virtual machines, and developed a variety of automation solutions.

In the last six years, Nathan has focused on Splunk SOAR (Security Orchestration, Automation, and Response) at VMware and now TekStream. He has been instrumental in developing new actions and applications for Splunk SOAR and Splunk, driving innovation and efficiency in security and operational workflows.

With a proven track record in automation, scripting, and application development, Nathan brings a unique combination of technical acumen and practical problem-solving to every project.