Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change parameter dynamically In playbook

meshorer
Path Finder
‎11-01-2023 05:31 AM

Hi,

during a playbook, 

I would like to check a parameter with a condition, and if the condition result true, I would like to use that parameter. But if the condition result is false, I would then use a different parameter.

is there a way to do that without duplicating a lot of blocks? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎11-01-2023 07:38 AM

@meshorer when you join 2 or more lines to a block it creates a join that by default will wait for all connected blocks to complete. 

If you open the code block settings and expand the Advanced drop-down you should see some tick boxes. As long as the 2 block prior could only ever go down 1 route then you can untick all boxes and it should work. 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎11-01-2023 05:54 AM

@meshorer is the value you would use when NOT true hardcoded or from other information in the event/artifact?

I think for this you might be best to use a Code Block / Custom Function to have a single output and do all the checking in code based on the inputted value(s). 

-- Happy SOARing! --

0 Karma
Reply
Solved! Jump to solution

meshorer
Path Finder
‎11-01-2023 06:50 AM

Thank you, @phanTom 

a code block to check it and then outputs the relevant parameter did it.

but now I have another problem- when I  try to connect two blocks that are separated with a decision block, to the same prompt block or decision block, it doesn’t work.

for one case it goes well, but for the second case the debug shows “join_ <block name> called”, but the playbook ends there.

Why does it happen?

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎11-01-2023 07:38 AM

@meshorer when you join 2 or more lines to a block it creates a join that by default will wait for all connected blocks to complete. 

If you open the code block settings and expand the Advanced drop-down you should see some tick boxes. As long as the 2 block prior could only ever go down 1 route then you can untick all boxes and it should work. 

0 Karma
Reply
Solved! Jump to solution

meshorer
Path Finder
‎11-01-2023 10:22 AM

@phanTom 

you are a genius! 

thank you very much

Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...