Splunk® Phantom (Legacy)

Use Splunk Phantom

This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.

View or edit the Python code in Splunk Phantom playbooks

Click the Python Playbook Editor tab to view the underlying Python code for your playbook. The code for the entire playbook is shown by default. Click any block in your playbook to view the code for the selected block only.

The on_start function is similar to the main or begin functions in other programming languages. Splunk Phantom executes the Python code in your playbooks by calling the on_start function with the container context.

Manage your editing session

Use the icons in the Python Playbook Editor to manage your editing session.

Icon Description
The Full Playbook icon View the Python code for the entire playbook. Using this icon is useful if you are viewing the Python code for a specific block on the canvas, and want to return to view the Python code for the entire playbook.
The Global Block icon Add code that needs to be defined at the global level of the playbook, such as import statements for Python libraries.
The Block, Callback, and Join icon View functions for blocks that have diverging or converging actions. The functions are explained in the following list:
  • Block Function is highlighted when viewing the Python code that is applicable to a single block
  • Callback Function is used to view to the block of code that is generated to split the output of the single block into multiple blocks.
  • Join Function is used to view the block of code that is generated to join the output of the multiple blocks into a single block.
The Revert Changes icon Go back to the original version and discard all changes. If there are changes to revert, the button turns white when you hover over it.

How custom Python edits affect the visual playbook editor

When you see Full Code in the Python Playbook Editor, you are making changes affecting the whole playbook. When you begin to make edits, you are prompted to verify that you want to continue, which disables the visual playbook editor (VPE) for the playbook. Now, you can only edit the Python code.

If you click a block in the playbook, your edits only disable the VPE for that block. The Python Playbook Editor changes from Full Code to the name of the Python function called in that block. You can continue to use the VPE to add, edit, or delete other blocks. If you want to add another block downstream from the block you edited, you have to manually enter a Python function call for the next block, such as phantom.act(). The VPE doesn't generate Python code for any block containing custom edits.

When editing the Python code for a Custom Function block, make your edits in the editable area in order for callback functions to work.

  1. Create a Custom Function block in the VPE. See Add custom code with the custom function block.
  2. Click Python Playbook Editor.
  3. Click the Custom Function block.
  4. Write your custom code in the area with the # Write your custom code here... text. 
    ################################################################################
## Custom Code Start
################################################################################

# Write your custom code here...

################################################################################
## Custom Code End
################################################################################
Last modified on 06 April, 2020
View or edit playbook settings   Overview of cases

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters