Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk SOAR
- :
- How do I try an action several times?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have an action that I need a response from before the playbook can proceed, but the app is prone to occasionally time out or return an invalid result. To handle this, I want to try the action 3 times; if I still don't get a valid response, then the playbook should proceed with handling it as a failure and alert as such. I'm having trouble finding a good way to build the loop, though. It doesn't appear that there's a way to declare a variable (i.e. the loop counter) outside the action block, so I have no way to tell where I am in the loop. How can I declare a variable with global scope (or at least scope it outside the action block) in 5.2.1.78411? Alternately, is there a "retry this action n times if it fails" option that I can apply?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ben_r loops are not supported, yet, in playbooks but I would expect is on a roadmap somewhere as the community has been asking for a while! There is also no "retry n times on failure", but this could be written in to the app but you would need to let the app know how to determine the invalid response.
It depends on how you are determining a "valid response" but if you only need to try a max of 3 times, for now, and to keep your playbook "clean" from too much custom code, I would just have the action, followed by a decision 3 times. If the 1st action is "invalid response" in the decision block, call the 2nd action block and so on.
Loops can be done but you need to edit a lot of the code to make it work and it's not really best practise to do it like that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ben_r loops are not supported, yet, in playbooks but I would expect is on a roadmap somewhere as the community has been asking for a while! There is also no "retry n times on failure", but this could be written in to the app but you would need to let the app know how to determine the invalid response.
It depends on how you are determining a "valid response" but if you only need to try a max of 3 times, for now, and to keep your playbook "clean" from too much custom code, I would just have the action, followed by a decision 3 times. If the 1st action is "invalid response" in the decision block, call the 2nd action block and so on.
Loops can be done but you need to edit a lot of the code to make it work and it's not really best practise to do it like that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply @phanTom ; I was hoping there might be a canned action for it but I guess there isn't. I did try declaring a counter variable in global scope in a custom code block at the top of the playbook and tried testing against it in a decision block right after the action, but while I can address it in the custom blocks with global, there doesn't seem to be a way to make it available to the decision block:
Oct 13, 09:06:20 : phantom.condition(): condition loop: condition 1, 'failed' '!=' 'success' => result:True
Oct 13, 09:06:20 : phantom.condition(): condition 2 to evaluate: LHS: global userDevicesLoop OPERATOR: < RHS: 3
Oct 13, 09:06:20 : phantom.condition(): condition loop: condition 2, 'userDevicesLoop' '<' '3.0' => result:False
.conf25 Community Recap
Splunk App Developers | .conf25 Recap & What’s Next
Congratulations to the 2025-2026 SplunkTrust!
