Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk SOAR
- :
- Getting playbook output data from phantom.playbook...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting playbook output data from phantom.playbook API call
I currently have a playbook that runs 3 actions within it (creating a splunk search, sharing the job, and expanding ttl, all while using the loop-if-failure feature) and returns outputs (summary, status, and the search results). I'm trying to do a for-loop where it calls that playbook with different params using phantom.playbook() though I am having trouble finding the actual playbook output in the callback function.
Example:
for loop:
inputs = {<changing params>}
new_name = "<changing string>"
phantom.playbook("my_playbook", container=container, name=new_name, input=inputs, callback=my_callback)
where in my_callback:
I try phantom.collect2(container=container, datapath=["new_name:playbook_output:search_results_data"], action_results=results)
which doesnt work. I tried printing out general "results" which gives me info such as:
name
playbook
playbook_run_id
result (which contains a dictionary for info on each of the 3 actions)
but this doesnt include the output data of the playbook itself (or the run_query splunk search results).
I did see a past post that didnt get an answer (or at least not the answer that fits my scenario: https://community.splunk.com/t5/Splunk-SOAR/How-to-get-output-data-when-calling-a-playbook-through-t...). My use case needs to use the subplaybook and not the actions directly due to configuration reasons (mainly the asset field needs to be configurable rather than hard-set via the Splunk App runquery action block).
any help or direction would be super appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @nongingerale
I don't have much experience but what I can see is:
phantom.collect2 with a playbook_output datapath works for static visual playbook blocks, not dynamic
calls from custom code in a loop. With a dynamic name, the datapath can't be resolved the way SOAR's data engine expects.
Maybe you can try to handle it in python code, something like this:
(code not tested)
def my_callback(action=None, success=None, container=None, results=None, handle=None, **kwargs):
phantom.debug("my_callback() called")
for result in results:
run_id = result.get('playbook_run_id')
if not run_id:
continue
# Hit SOAR's internal REST API — no auth token needed when called from within a playbook
response = phantom.requests.get(
f'/rest/playbook_run/{run_id}',
verify=False
)
if response.status_code != 200:
phantom.error(f"Failed to get playbook run {run_id}: {response.status_code}")
continue
run_data = response.json()
raw_outputs = run_data.get('outputs') # list of JSON-encoded strings
if not raw_outputs:
phantom.debug(f"No outputs for run {run_id} — is the subplaybook an input playbook with defined outputs?")
continue
for raw in raw_outputs:
output = json.loads(raw)
search_results = output.get('search_results_data') # your output name
phantom.debug(f"Got search_results_data: {search_results}")
References:
- https://docs.splunk.com/Documentation/Phantom/4.10.7/PlaybookAPI/SessionAPI
- https://help.splunk.com/en/splunk-soar/soar-cloud/rest-api-reference/run-playbook-endpoints/rest-run...
I hope this helps!!!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
