Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Pass format block data to subplaybook

shaquibk
Explorer
‎09-23-2021 12:53 AM

Hi Team,

I want to know if it is possible pass data present in a format block of one playbook to another playbook being called. So its like

PB1--->Format block -------> PB2 called ------>PB2 performs functions on the previous format block data.

I know as a workaround this can be done by adding an artifact and using it in subplaybook. But would prefer if it is possible without it.

Kindly let me know if any further info is required.

Thanks in advance!

Regards,

Shaquib

Labels (1)
Labels
Tags (2)
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎09-23-2021 01:17 AM

@shaquibk you could look to use phantom.save_object() and phantom.get_object() to save and retrieve the formatted string in another playbook. Not sure if the process will mess with formatting but they will certainly persist the formatted data string for re-use.

save_object() : https://docs.splunk.com/Documentation/Phantom/4.10.7/PlaybookAPI/DataManagementAPI#save_object 

get_object(): https://docs.splunk.com/Documentation/Phantom/4.10.7/PlaybookAPI/DataManagementAPI#get_object 

Happy Phantoming!

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...