Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Code Block in the playbook?

AliMaher
Path Finder
‎10-10-2025 03:32 PM

Hello,

I tried to go through the playbook, and unfortunately found two bad things:

1- If you use the python editor, you can't use the visual editor anymore!!!!!

2- I tried to add a code block to refine an output of the previous step but also I can't continue with the visual editor??

Q: Why this behavior exists? 

Labels (2)
0 Karma
Reply

AliMaher
Path Finder
‎10-11-2025 06:12 AM

Thanks for your support, in the below example I received a list of IPs and want to check reputation of them using virus total, before that I want to check if those IPs are public or private IP.

I tried to use the Block code, unfortunately I couldn't, so I had to create custom python function and called it in the utility block.

I hope I could use simple code block without enforcing to create custom function.

 

2025-10-11_155756.png

0 Karma
Reply

marnall
Motivator
‎10-11-2025 06:23 AM

At least in SOAR 6.2+ (IIRC) it should be also possible to make a "Code" block that allows the direct addition of code to a playbook block without having to make and reference a custom function. I recall it having a dark blue block symbol.

0 Karma
Reply

marnall
Motivator
‎10-10-2025 11:54 PM

This is intended behavior, because the visual editor was not designed to interpret and handle custom code. The visual editor is for applying common configurations, but when you modify the code directly by yourself then you are assuming manual control and cannot rely on the visual editor unless you revert the custom code changes.

Making a code block to refine output of another block should not prevent the previous block from being editable by the visual editor.

Reply
Get Updates on the Splunk Community!

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...