Splunk SOAR (f.k.a. Phantom)

Advanced SOAR python, playbook custom function use


Hi, I've got a problem with this playbook code block, the custom functions I try to execute seem to hang indefinitely, I also know the custom function works because I've successfully used it from a utility block

 I've tried a few different arrangements of this logic including initializing cfid with both the custom function calls and consolidating custom function names into a single while loop with the phantom.completed and have used pass instead of sleep.

But the custom function doesn't seem to return/complete. 


Here's another example, which is basically the same except it consolidates the while loops and executes both the custom functions at the same time.


Once either of these above scenarios (or something similar) are successful I need to get the results from the custom function  executions (below pic), combine it into a single string and then send "data" to another function:
> post_http_data(container=container, body=json.dumps({"text": data})



Any assistance would be great. Thanks.


Labels (1)
0 Karma




Thanks for the reply.  The whole VPE is kinda clunky, but I guess that's what part of the SOAR is for is to provide a visual programming interface.

I ended up writing a python module and installed it via the backend procedure with pip.

0 Karma

Path Finder

In my limited testing, SOAR doesn't seem to like handling custom functions within a single code block. It doesn't want to wait for the custom function to actually finish before moving on.

For reference, first_code_block just calls a custom function and second_code_block runs phantom.completed() on that function.


If you have to call the function from within a code block, you can add a callback. This will make sure the code doesn't move on until the run finishes. I wasn't able to get the callback to work on a second function within the same block. (One note on this: Phantom will call the last two lines of the code block before the custom function finishes)

phantom.custom_function(... callback=second_code_block)


The easiest method by far is to just put each custom function into their own block, then do whatever processing you need in a custom code block below. By default, SOAR will wait for any simultaneous blocks to finish before running the next step.



Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...