Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I unable to save Phantom Playbook?

lynnn_
Loves-to-Learn Everything
‎11-07-2022 07:13 AM

Hi, I am using the phantom ova to run my Phantom instance. I have just managed to run my playbooks when I previously tested it 8 hours ago. However upon creating a new simple playbook and running the previously created playbook, I get the following error:

Error updating playbook.<br/>cannot mmap an empty file

 

Hence I am unable to save any progress on any playbooks now.

I had tried search online for solutions but am unable to do so. I had come across an article (i forgot the link) that had stated the commands /opt/phantom/bin/stop_phantom.sh and /opt/phantom/bin/start_phantom.sh to restart the phantom ova instance however it is not having any effect. I attempted to restart the phantom service a few times, and restarted the vm a few times, but it does not seem to work. I then attempted to delete the VM from disk and reimport it, and the playbooks work fine until after a while and the cycle repeats itself... While reimporting the vm "works", it is troublesome to reconfigure my current settings on the reimported instance every time I encounter this error.

Is there a better solution to this?

 

lynnn__1-1667833578650.png

As seen from the image, this 2nd playbook is a simple one, and the first playbook one I could run is also similar. Both playbooks have been configured and saved before I saved the virtualbox vm state as I switched to other matters, and when I resume the vm, I'll get this error. Please help, thank you very much!

Labels (1)
Labels
0 Karma
Reply

sd1
New Member
‎01-03-2023 08:27 AM

Where you ever able to solve this issue? I am running into the same thing. One day I created a basic playbook to block an incoming IP. It worked fine. The next day I tried to add some more actions (create Jira ticket), and now it wont let me save changes and says "cannot mmap to an empty file". Not sure why I am getting this error. 

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎01-03-2023 08:30 AM

@sd1 any chance you left it long enough to be affected by the system time out settings (Inactivity/Default)?

I have seen this happen before and the only way to save it was to use the "save as" option, save under a different name and then delete the old/original and rename the new one to the original name. 

I hope this helped! Happy SOARing!

0 Karma
Reply
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...