Splunk® SOAR (Cloud)

Build Playbooks with the Playbook Editor

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

View or edit the Python code in playbooks

Click the Python Playbook Editor tab to view the underlying Python code for your playbook. The code for the entire playbook is shown by default. Click any block in your playbook to view the code for the selected block only.

See the following documentation for more information about Python code in your playbooks:

Splunk does not support custom Python packages.

Manage your editing session

Use the icons in the Python Playbook Editor to manage your editing session.

Icon Description
The Full Playbook icon View the Python code for the entire playbook. Using this icon is useful if you are viewing the Python code for a specific block on the canvas, and want to return to view the Python code for the entire playbook.
The Global Block icon Add code that needs to be defined at the global level of the playbook, such as import statements for Python libraries.
The Active Block icon View functions for blocks that have diverging or converging actions. The functions are explained in the following list:
  • Block Function is highlighted when viewing the Python code that is applicable to a single block
  • Callback Function is used to view to the block of code that is generated to split the output of the single block into multiple blocks.
  • Join Function is used to view the block of code that is generated to join the output of the multiple blocks into a single block.
The Revert Changes icon Go back to the original version and discard all changes. If there are changes to revert, the button turns white when you hover over it.

How custom Python edits affect the visual playbook editor

When you see Playbook Code in the Python Playbook Editor, you are making changes affecting the whole playbook. When you begin to make edits, you are prompted to verify that you want to continue. If you continue, you will no longer be able to edit the playbook using the playbook editor. All changes to the playbook must be made by editing or adding Python code.

If you click a block in the playbook, your edits only disable the playbook editor for that block. The Python Playbook Editor changes from Playbook Code to the name of the Python function called in that block. You can continue to use the playbook editor to add, edit, or delete other blocks in the playbook. If you want to add another block downstream from the block you edited, you have to manually enter a Python function call for the next block, such as phantom.act(). The playbook editor doesn't generate Python code for any block containing custom edits.

When editing the Python code for a Code block, make your edits in the editable area in order for callback functions to work.

  1. Create a Code block in the playbook editor. See Add custom code to your playbook with the code block.
  2. Click Python Playbook Editor.
  3. Click the Code block.
  4. Write your custom code in the area with the # Write your custom code here... text.
    ################################################################################
    ## Custom Code Start
    ################################################################################
    
    # Write your custom code here...
    
    ################################################################################
    ## Custom Code End
    ################################################################################
    
Last modified on 18 September, 2024
View or edit playbook settings in Splunk SOAR   Create custom lists for use in playbook comparisons

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters