Splunk SOAR (f.k.a. Phantom)

Action Run Splunk Query Issues

wilcompl1334
Explorer

I'm running into an issue where I have multiple artifacts that are being submitted as a Splunk query. Below is my current workflow:

  1. Extract domains from URL
  2. Format Splunk query as such: '|inputlookup someCSV.csv | search domain={0}'
  3. Run Splunk query

The issue lies in the Splunk query that is run appears to be appending the artifacts in a comma delimited list rather than individual queries:

  • query = | inputlookup someCSV.csv | search domain=domain1.com, domain2.com, domain3.com

When i'm expecting the following searches to be run:

  • query = | inputlookup someCSV.csv | search domain=domain1.com
  • query = | inputlookup someCSV.csv | search domain=domain2.com
  • query = | inputlookup someCSV.csv | search domain=domain3.com

Is there a way to construct this so each domain extracted is run in a separate Splunk query?

Labels (2)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@wilcompl1334 you will need to pass in the formatted_data.* output from the format block into the query field of the run_query action (as per the diagram).

Try selecting each option and watch the Code in the Playbook Editor tab for the change:
* If using formatted_data.* output the code has a for loop to add a single parameter for each item found in the formatted data output

* If using just formatted_data it passes in the list (built in the format block using %'s) as a single string parameter. 

So unless you are doing something custom I am not aware of, simply by using the %%{0}%% method in the format block and selecting the formatted_data.* datapath in the query field, Phantom will see each item in the list as a separate parameter and pass them individually into the run_query action.

Using the format block with the %%{0}%% in will create:
| inputlookup someCSV.csv | search domain=domain1.com
| inputlookup someCSV.csv | search domain=domain2.com
| inputlookup someCSV.csv | search domain=domain3.com

 
If you pass it in as just formatted_data then the code will look like this:

# build parameters list for 'run_query_1' call
parameters.append({
    'command': "search",
    'query': formatted_data_1,
    'display': "",
    'parse_only': "",
})

However if you use the formatted_data.* it will/should change to this:
# build parameters list for 'run_query_1' call
for formatted_part_1 in formatted_data_1:
    parameters.append({
        'command': "search",
        'query': formatted_part_1,
        'display': "",
        'parse_only': "",
})

I am 100% sure, again unless you are doing something custom I am not aware of, this will work for you. 

View solution in original post

jesuamal
Loves-to-Learn Everything

Hi

I am currently working on a similar task that passing the formatted block value to Splunk query to get an out put required for the next action.  My search query

 |inputlookup agentid.csv | search hostname=hostname1| fields agentid

My format block configured as below,

Template

{0}

Template Parameters

0 = get_variables_2:action_result.data.*.Computer ID

 

Can you please advise me how to pass this computer ID to my Splunk query as  mentioned above?

 

 

 

 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@wilcompl1334 you will need to pass in the formatted_data.* output from the format block into the query field of the run_query action (as per the diagram).

Try selecting each option and watch the Code in the Playbook Editor tab for the change:
* If using formatted_data.* output the code has a for loop to add a single parameter for each item found in the formatted data output

* If using just formatted_data it passes in the list (built in the format block using %'s) as a single string parameter. 

So unless you are doing something custom I am not aware of, simply by using the %%{0}%% method in the format block and selecting the formatted_data.* datapath in the query field, Phantom will see each item in the list as a separate parameter and pass them individually into the run_query action.

Using the format block with the %%{0}%% in will create:
| inputlookup someCSV.csv | search domain=domain1.com
| inputlookup someCSV.csv | search domain=domain2.com
| inputlookup someCSV.csv | search domain=domain3.com

 
If you pass it in as just formatted_data then the code will look like this:

# build parameters list for 'run_query_1' call
parameters.append({
    'command': "search",
    'query': formatted_data_1,
    'display': "",
    'parse_only': "",
})

However if you use the formatted_data.* it will/should change to this:
# build parameters list for 'run_query_1' call
for formatted_part_1 in formatted_data_1:
    parameters.append({
        'command': "search",
        'query': formatted_part_1,
        'display': "",
        'parse_only': "",
})

I am 100% sure, again unless you are doing something custom I am not aware of, this will work for you. 

wilcompl1334
Explorer

@phanTomThanks for the help with this, on going question as I'm now seeing the query that is passed actually formatted as such:

  • query: "| inputlookup someCSV.csv | search domain=domain1.com | inputlookup someCSV.csv | search domain=domain2.com | inputlookup someCSV.csv | search domain=domain3.com"

Rather than individual queries, it appears it's formatted these all as a single, chained query, and passed it off to Splunk.

I'm not at the terminal any longer, but do I need to loop the run_query block as well with the output of formatted_data.* by doing the same for the input of run_query:

 

%%

{0}

%%

 

 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@wilcompl1334 

I can see you are using a format block due to the {0} item so this is a nice simple one 😄

If you wrap your format content like  this and use the formatted_data.* output in the run_query block:

%%
|inputlookup someCSV.csv | search domain={0}
%%

You should see in the run_query that Phantom builds the for loop based on the formatted_data.* being recognised as a list object. Without the formatted_data.* it will dump all 3 as a single string. 

If this helps please mark as so, or ask for more assistance.

phanTom

 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...