Splunk® SOAR (Cloud)

Develop Apps for Splunk SOAR (Cloud)

Acrobat logo Download manual as PDF


The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Acrobat logo Download topic as PDF

Platform installation for Python 3

The Splunk SOAR installation includes a Python 3 runtime environment.

If you are developing an app, supports apps written in Python 3. Python 2 is not supported.

Splunk does not support custom Python packages.

Python installation path

Only Python 3 is included in the platform installation.

  • The path to Python 3 is <SOAR_HOME>/usr/python39/bin/python3.9m.
  • For Splunk SOAR (Cloud) installations, <SOAR_HOME> is /opt/phantom.

A symlink to <SOAR_HOME>/opt/phantom/usr/bin/python3 is included for convenience. Splunk SOAR (Cloud) uses this symlink to access Python.

Pip installation path

Pip 3 is included in the platform for installing Python 3 packages.

Pip 3 is included in <SOAR_HOME>/usr/python39/bin/pip3.

A symlink to pip 3, <SOAR_HOME>/usr/bin/pip3 is included. Splunk SOAR (Cloud) uses this symlink to access pip 3.

App development script installation path

This entire section refers to scripts and CLI/SSH items which are not available in Splunk SOAR (Cloud). If you want to use a playbook action that requires packages that weren't installed in Splunk SOAR (Cloud), create a custom app to import the package and then build the app that contains the actions needed. See Create an app with the App Wizard.

The following scripts and commands are included in the platform for developing Python 3 apps:

  • create_tj.pyc
  • create_output.pyc
  • phenv compile_app command

Compatible Python 3 scripts

Scripts that are compatible with Python 3 are included in the following location:

  • For Splunk SOAR (Cloud) deployments, <SOAR_HOME> is /opt/phantom.
  • For Splunk SOAR ((On-premises) privileged deployments prior to release 5.4.0, <SOAR_HOME> is /opt/phantom.
  • For Splunk SOAR (On-premises) unprivileged deployments, <SOAR_HOME> is configured by your Splunk SOAR Administrator.
  • The path to scripts is <SOAR_HOME>/bin/<script>.

Run the scripts using phenv python3 as follows: 

[phantom@phantom phipinfoio]$ phenv python <SOAR_HOME>/bin/<script>.pyc
Last modified on 27 March, 2024
PREVIOUS
Map Template 		  NEXT
Convert apps from Python 2 to Python 3

This documentation applies to the following versions of Splunk® SOAR (Cloud): current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters