https://community.splunk.com/t5/Splunk-SOAR/Phantom-Looped-Splunk-Run-Query-action-able-to-display-results/m-p/532789#M522 <P>Hi There,</P><P>Below is the logic I am trying to achieve:</P><P>Perform enrichment on a list of host via information extraction using a Spunk's run query action. The resulting results will then be added as an artifact.</P><P>1. Get&nbsp; List of Hosts and run each one of them against step 2.<BR />2. Run a Splunk query which aims to get the host info (e.g. ldap details)<BR />3. Extract the details from the splunk query and add an artifact.<BR />4. Loop until steps 2-4 until the all the host in the list has been processed.</P><P>Issue:</P><P>The first loop is working fine, I am able to successfully run the query, extract the fields and place them in a format block and then add them as an artifact.</P><P>The problem comes in the succeeding searches, the splunk searches appears to be successful, but the resulting data is not passed properly, the value appears to show as None.</P><P>Note that the same format block works for every first time you run the playbook.</P><P>Another thing to note is that i am using a Join Function and using the built in add artifact action.</P><P>Cheers,<BR />Carl</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 11 Dec 2020 12:37:50 GMT carl72086 2020-12-11T12:37:50Z https://community.splunk.com/t5/Splunk-SOAR/Phantom-Looped-Splunk-Run-Query-action-able-to-display-results/m-p/532789#M522 <P>Hi There,</P><P>Below is the logic I am trying to achieve:</P><P>Perform enrichment on a list of host via information extraction using a Spunk's run query action. The resulting results will then be added as an artifact.</P><P>1. Get&nbsp; List of Hosts and run each one of them against step 2.<BR />2. Run a Splunk query which aims to get the host info (e.g. ldap details)<BR />3. Extract the details from the splunk query and add an artifact.<BR />4. Loop until steps 2-4 until the all the host in the list has been processed.</P><P>Issue:</P><P>The first loop is working fine, I am able to successfully run the query, extract the fields and place them in a format block and then add them as an artifact.</P><P>The problem comes in the succeeding searches, the splunk searches appears to be successful, but the resulting data is not passed properly, the value appears to show as None.</P><P>Note that the same format block works for every first time you run the playbook.</P><P>Another thing to note is that i am using a Join Function and using the built in add artifact action.</P><P>Cheers,<BR />Carl</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 11 Dec 2020 12:37:50 GMT https://community.splunk.com/t5/Splunk-SOAR/Phantom-Looped-Splunk-Run-Query-action-able-to-display-results/m-p/532789#M522 carl72086 2020-12-11T12:37:50Z https://community.splunk.com/t5/Splunk-SOAR/Phantom-Looped-Splunk-Run-Query-action-able-to-display-results/m-p/533849#M524 <P>Update:&nbsp; Managed to figure this out after tons of testing. If you have multiple queries (e.g. splunk queries) inside a join loop, you need to be able to save the query result data and the easiest way to do that without having to add artifacts is to create a custom function after each query and pass the data (via custom function input an output). In that way you can call the custom function outputs at the end of the playbook and be able to format it as needed.</P> Tue, 22 Dec 2020 14:58:50 GMT https://community.splunk.com/t5/Splunk-SOAR/Phantom-Looped-Splunk-Run-Query-action-able-to-display-results/m-p/533849#M524 carl72086 2020-12-22T14:58:50Z https://community.splunk.com/t5/Splunk-SOAR/Phantom-Looped-Splunk-Run-Query-action-able-to-display-results/m-p/650476#M1211 <P>Hello,</P><P>&nbsp;</P><P>I am trying to create the custom code but no luck is it possible to share the custom code you have created so i can have modify it?</P> Fri, 14 Jul 2023 06:17:25 GMT https://community.splunk.com/t5/Splunk-SOAR/Phantom-Looped-Splunk-Run-Query-action-able-to-display-results/m-p/650476#M1211 prasanthkota 2023-07-14T06:17:25Z