Can I extend the limits of output in my playbook?

peterng_ · ‎10-04-2022

I'm using Splunk SOAR 5.3.3. When I add 10 outputs for a playbook, the warning text appear "Limit 10 outputs reached".

phanTom · ‎01-11-2023

@fkpp2 ah yes, apologies I saw 10 outputs and instantly went to CF 😄

I like your approach for the playbooks. Thanks for clarifying as I am sure it will help ppl in the future.

fkpp2 · ‎01-11-2023

Hi @peterng_ ,

probably a little bit late and you might have found a solution to this already.

What I am doing in case I need more than 10 input or output variables, is putting a JSON object into one of the variables and parse it in the parent/sub playbook accordingly.

BR,

Florian

phanTom · ‎01-11-2023

@fkpp2 @peterng_ you can actually get them by using "nested JSON" in the output and can also use the datapath in the playbook without parsing.

E.G.

output of CF = <field>

Output JSON {"field": {"sub-field1": "<value>", "sub-field2", "<value>"}}

Then just add the sub-field name to the datapath in the playbook:

-- If this helps please mark as a solution. Happy SOARing! --

fkpp2 · ‎01-11-2023

When a CF comes into play, I agree with your approach.

Otherwise this is what I was suggesting, when trying to pass more than 10 variables to a sub playbook:

Main PB:

Sub PB:

You just need to json.loads() the ticket_input data according to your needs in a CF / code block and can access the fields as a datapath.

BR,

Florian

Can I extend the limits of output in my playbook?

using SOAR ⁄ Phantom

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?