Splunk SOAR

Is it possible to loop on custom list rows in SOAR/Phantom?

ben_r
Engager

I have a playbook that adds a row to a custom list for each task that can't be processed at runtime, and I'm building a second timer-driven playbook that should retry each of those actions. Each row has five columns, four for the values needed to attempt the action and a counter that should be incremented for each retry (after five tries, it should remove the row and alert that the task can't be performed automatically). 

I can use phantom.get_list() (and capturing only the third element, which is the list contents) to get the contents of the custom list into the retry playbook as a Python list, but I'm having trouble coming up with a way to iterate through them. I've tried the recommendation in another question/answer (https://community.splunk.com/t5/Splunk-SOAR-f-k-a-Phantom/How-do-you-achieve-quot-for-quot-loops/m-p...), but passing the retrieved list from a code block into a format block with 

%%
{0}
%%

as the format, then doing a python.debug on format_1:formatted_data.* just returns the monolithic list once. The behavior I need is for it to spin up the code block for each row of the incoming list.

Is this possible with Phantom? If so, is this approach correct, and what might I be doing wrong here?

Labels (1)
0 Karma

phanTom
SplunkTrust
SplunkTrust

@ben_r Everything is possible in SOAR/Phantom! The fun is trying to find the most stable & efficient way 😃

It's great you are trying to use the VPE capabilities for this and you always should 1st but, I feel like this will need a Custom Function or 2 to make it work in the way you want. As you are possibly removing items from the list I would recommend building the whole list and using the phantom.set_list() api that will overwrite the list. I have found updating custom lists can be tricky if adding and removing items unless you just rebuild and overwrite.  

I would call out though that custom lists are stored as a single object in the DB so lots of read & write activity may mean it can not be trusted to always be correct.  

I would see the flow as:

  1. Custom function to retrieve and parse the items needed to re-run 
  2. run actions
  3. Custom Function to work out which ones failed and which succeeded, rebuild the list and overwrite the list. 

I can't 100% picture your usage of the list data but am happy to try and help more if you want. 

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...