Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SOAR - Only add to the list when the condition is met?

newsplunker1
Path Finder
‎02-20-2023 02:15 PM

Hi,

I have a list of hosts  that i want to check their status , so  I have created an if statement to filter out the ones that does not meet the if statement , then i have an action to ping on the ones that met the IF statement

ex: 

host1, host2,host3,host4

if host==host1 OR host == host4 

The next action would be  scan ONLY ( host1 , host4)

I have the playbook working with all actions but i just could not figure out the way how to only process the hosts that meet the IF condition 

Thanks 

 

Tags (1)
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎02-21-2023 01:27 AM

@newf where is this IF statement?

Are you using it in a Code block with a python if statement, or are you using a decision/filter?

The best practise way to achieve what you want here is to use a decision and filter combination:

1. Decision has your if host = X OR host = Y Continue (Add an ELSE as another condition/out in the case of none matches)
2. Filter with the exact same config as the decision above
3. In the action block make sure to use the "filtered_data:<datapath to host value>" input and it should only pass through values that matched the filter condition.

If you are using a code block for your if statement then you need to add the values that pass to a python list, then output that from the code block to a format block setup like below:

%%
{0}
%%

0 = The code block output list

Then in the subsequent action use the "formatted_data.*" output for the action to loop through the contents of the list. 

The top way though it by far the best and simplest way to achieve what you want as code blocks should only be used for complicated data manipulation (Such as needing to do AND & OR in the same statement as decisions/filters can't do that).

-- If this helped solve your issue please mark as a solution! Happy SOARing! --

0 Karma
Reply

newsplunker1
Path Finder
‎02-23-2023 12:01 PM

@phanTom  Thanks for taking the time to look into this one for me 

 

So im using %% to loop through the list of host i want to scan/ping but my struglle i guess is how to output the result into a format/block where i can call it later on for other actions 

host 1 with index 1 and host 3 with index 3 pass the decision block so my next step is to only apply other actions on those ( host1/index1 , host3/index3 ) 

I hope i made this clearer than before 

 

Thanks 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...