Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change parameter dynamically In playbook

meshorer
Path Finder
‎11-01-2023 05:31 AM

Hi,

during a playbook, 

I would like to check a parameter with a condition, and if the condition result true, I would like to use that parameter. But if the condition result is false, I would then use a different parameter.

is there a way to do that without duplicating a lot of blocks? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎11-01-2023 07:38 AM

@meshorer when you join 2 or more lines to a block it creates a join that by default will wait for all connected blocks to complete. 

If you open the code block settings and expand the Advanced drop-down you should see some tick boxes. As long as the 2 block prior could only ever go down 1 route then you can untick all boxes and it should work. 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎11-01-2023 05:54 AM

@meshorer is the value you would use when NOT true hardcoded or from other information in the event/artifact?

I think for this you might be best to use a Code Block / Custom Function to have a single output and do all the checking in code based on the inputted value(s). 

-- Happy SOARing! --

0 Karma
Reply
Solved! Jump to solution

meshorer
Path Finder
‎11-01-2023 06:50 AM

Thank you, @phanTom 

a code block to check it and then outputs the relevant parameter did it.

but now I have another problem- when I  try to connect two blocks that are separated with a decision block, to the same prompt block or decision block, it doesn’t work.

for one case it goes well, but for the second case the debug shows “join_ <block name> called”, but the playbook ends there.

Why does it happen?

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎11-01-2023 07:38 AM

@meshorer when you join 2 or more lines to a block it creates a join that by default will wait for all connected blocks to complete. 

If you open the code block settings and expand the Advanced drop-down you should see some tick boxes. As long as the 2 block prior could only ever go down 1 route then you can untick all boxes and it should work. 

0 Karma
Reply
Solved! Jump to solution

meshorer
Path Finder
‎11-01-2023 10:22 AM

@phanTom 

you are a genius! 

thank you very much

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...