https://community.splunk.com/t5/Splunk-SOAR/Action-Run-Splunk-Query-Issues/m-p/539984#M573 <P>I'm running into an issue where I have multiple artifacts that are being submitted as a Splunk query. Below is my current workflow:</P><OL><LI>Extract domains from URL</LI><LI>Format Splunk query as such: '|inputlookup someCSV.csv | search domain={0}'</LI><LI>Run Splunk query</LI></OL><P>The issue lies in the Splunk query that is run appears to be appending the artifacts in a comma delimited list rather than individual queries:</P><UL><LI><STRONG>query</STRONG><SPAN>&nbsp;=&nbsp;</SPAN><SPAN>| inputlookup someCSV.csv | search domain=domain1.com, domain2.com, domain3.com</SPAN></LI></UL><P>When i'm expecting the following searches to be run:</P><UL><LI><STRONG>query</STRONG><SPAN>&nbsp;=&nbsp;</SPAN><SPAN>| inputlookup someCSV.csv | search domain=domain1.com</SPAN></LI><LI><STRONG>query</STRONG><SPAN>&nbsp;=&nbsp;</SPAN><SPAN>| inputlookup someCSV.csv | search domain=domain2.com</SPAN></LI><LI><STRONG>query</STRONG><SPAN>&nbsp;=&nbsp;</SPAN><SPAN>| inputlookup someCSV.csv | search domain=domain3.com</SPAN></LI></UL><P>Is there a way to construct this so each domain extracted is run in a separate Splunk query?</P> Mon, 15 Feb 2021 16:01:16 GMT wilcompl1334 2021-02-15T16:01:16Z https://community.splunk.com/t5/Splunk-SOAR/Action-Run-Splunk-Query-Issues/m-p/539984#M573 <P>I'm running into an issue where I have multiple artifacts that are being submitted as a Splunk query. Below is my current workflow:</P><OL><LI>Extract domains from URL</LI><LI>Format Splunk query as such: '|inputlookup someCSV.csv | search domain={0}'</LI><LI>Run Splunk query</LI></OL><P>The issue lies in the Splunk query that is run appears to be appending the artifacts in a comma delimited list rather than individual queries:</P><UL><LI><STRONG>query</STRONG><SPAN>&nbsp;=&nbsp;</SPAN><SPAN>| inputlookup someCSV.csv | search domain=domain1.com, domain2.com, domain3.com</SPAN></LI></UL><P>When i'm expecting the following searches to be run:</P><UL><LI><STRONG>query</STRONG><SPAN>&nbsp;=&nbsp;</SPAN><SPAN>| inputlookup someCSV.csv | search domain=domain1.com</SPAN></LI><LI><STRONG>query</STRONG><SPAN>&nbsp;=&nbsp;</SPAN><SPAN>| inputlookup someCSV.csv | search domain=domain2.com</SPAN></LI><LI><STRONG>query</STRONG><SPAN>&nbsp;=&nbsp;</SPAN><SPAN>| inputlookup someCSV.csv | search domain=domain3.com</SPAN></LI></UL><P>Is there a way to construct this so each domain extracted is run in a separate Splunk query?</P> Mon, 15 Feb 2021 16:01:16 GMT https://community.splunk.com/t5/Splunk-SOAR/Action-Run-Splunk-Query-Issues/m-p/539984#M573 wilcompl1334 2021-02-15T16:01:16Z https://community.splunk.com/t5/Splunk-SOAR/Action-Run-Splunk-Query-Issues/m-p/539987#M574 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/138142">@wilcompl1334</a>&nbsp;<BR /><BR />I can see you are using a format block due to the {0} item so this is a nice simple one <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span><BR /><BR />If you wrap your format content like&nbsp; this and use the formatted_data.* output in the run_query block:</P><P>%%<BR /><SPAN>|inputlookup someCSV.csv | search domain={0}<BR /></SPAN><SPAN>%%</SPAN></P><P>You should see in the run_query that Phantom builds the for loop based on the formatted_data.* being recognised as a list object. Without the formatted_data.* it will dump all 3 as a single string.&nbsp;</P><P>If this helps please mark as so, or ask for more assistance.</P><P>phanTom</P><P>&nbsp;</P> Mon, 15 Feb 2021 16:08:19 GMT https://community.splunk.com/t5/Splunk-SOAR/Action-Run-Splunk-Query-Issues/m-p/539987#M574 phanTom 2021-02-15T16:08:19Z https://community.splunk.com/t5/Splunk-SOAR/Action-Run-Splunk-Query-Issues/m-p/540025#M575 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222170">@phanTom</a>Thanks for the help with this, on going question as I'm now seeing the query that is passed actually formatted as such:</P><UL><LI>query: "| inputlookup someCSV.csv | search domain=domain1.com | inputlookup someCSV.csv | search domain=domain2.com | inputlookup someCSV.csv | search domain=domain3.com"</LI></UL><P>Rather than individual queries, it appears it's formatted these all as a single, chained query, and passed it off to Splunk.</P><P>I'm not at the terminal any longer, but do I need to loop the run_query block as well with the output of formatted_data.* by doing the same for the input of run_query:</P><P>&nbsp;</P><P>%%</P><P>{0}</P><P>%%</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 15 Feb 2021 22:55:02 GMT https://community.splunk.com/t5/Splunk-SOAR/Action-Run-Splunk-Query-Issues/m-p/540025#M575 wilcompl1334 2021-02-15T22:55:02Z https://community.splunk.com/t5/Splunk-SOAR/Action-Run-Splunk-Query-Issues/m-p/540062#M576 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/138142">@wilcompl1334</a>&nbsp;you will need to pass in the <STRONG>formatted_data.*</STRONG> output from the format block into the query field of the&nbsp;<STRONG>run_query</STRONG> action (as per the diagram).<BR /><BR />Try selecting each option and watch the Code in the Playbook Editor tab for the change:<BR />* If using&nbsp;<STRONG>formatted_data.*</STRONG> output the code has a for loop to add a single parameter for each item found in the formatted data output</P><P>* If using just <STRONG>formatted_data</STRONG> it passes in the list (built in the format block using %'s) as a single string parameter.&nbsp;<BR /><BR />So unless you are doing something custom I am not aware of, simply by using the %%{0}%% method in the format block and selecting the&nbsp;<STRONG>formatted_data.*</STRONG> datapath in the&nbsp;<STRONG>query</STRONG> field, Phantom will see each item in the list as a separate parameter and pass them individually into the&nbsp;<STRONG>run_query&nbsp;</STRONG>action.<BR /><BR />Using the format block with the %%{0}%% in will create:<BR /><SPAN>| inputlookup someCSV.csv | search domain=domain1.com<BR />| inputlookup someCSV.csv | search domain=domain2.com<BR />| inputlookup someCSV.csv | search domain=domain3.com</SPAN><BR />&nbsp;<BR />If you pass it in as just <STRONG>formatted_data</STRONG> then the code will look like this:<BR /><BR /># build parameters list for 'run_query_1' call<BR />parameters.append({<BR />&nbsp; &nbsp; 'command': "search",<BR />&nbsp; &nbsp; 'query': formatted_data_1,<BR />&nbsp; &nbsp; 'display': "",<BR />&nbsp; &nbsp; 'parse_only': "",<BR />})<BR /><BR />However if you use the f<STRONG>ormatted_data.*</STRONG> it will/should change to this:<BR /># build parameters list for 'run_query_1' call<BR /><STRONG>for formatted_part_1 in formatted_data_1:</STRONG><BR />&nbsp; &nbsp; parameters.append({<BR />&nbsp; &nbsp; &nbsp; &nbsp; 'command': "search",<BR />&nbsp; &nbsp; &nbsp; &nbsp; 'query': formatted_part_1,<BR />&nbsp; &nbsp; &nbsp; &nbsp; 'display': "",<BR />&nbsp; &nbsp; &nbsp; &nbsp; 'parse_only': "",<BR />})<BR /><BR />I am 100% sure, again unless you are doing something custom I am not aware of, this will work for you.&nbsp;</P> Tue, 16 Feb 2021 09:07:46 GMT https://community.splunk.com/t5/Splunk-SOAR/Action-Run-Splunk-Query-Issues/m-p/540062#M576 phanTom 2021-02-16T09:07:46Z https://community.splunk.com/t5/Splunk-SOAR/Action-Run-Splunk-Query-Issues/m-p/589423#M807 <P>Hi</P><P>I am currently working on a similar task that passing the formatted block value to Splunk query to get an out put required for the next action.&nbsp; My search query</P><P>&nbsp;|inputlookup agentid.csv | search hostname=hostname1| fields agentid</P><P>My format block configured as below,</P><P><SPAN>Template</SPAN></P><P><SPAN>{0}</SPAN></P><P><SPAN>Template Parameters</SPAN></P><P><SPAN>0 = get_variables_2:action_result.data.*.Computer ID</SPAN></P><P>&nbsp;</P><P><SPAN>Can you please advise me how to pass this computer ID to my Splunk&nbsp;query as&nbsp; mentioned above?</SPAN></P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P><P>&nbsp;</P> Wed, 16 Mar 2022 22:48:46 GMT https://community.splunk.com/t5/Splunk-SOAR/Action-Run-Splunk-Query-Issues/m-p/589423#M807 jesuamal 2022-03-16T22:48:46Z