Splunk SOAR (f.k.a. Phantom)

get datapath variable as a string rather then a list

meshorer
Path Finder

hello all,

I have an app that to perform an action I cant insert the required parameter as a list. but as a string.
this is a bit issue because I am using data value from action results as the parameter to insert, for example: 
"my_App_action:action_result.data.*.device_id"
and as far as I understand, action_result.data collection is always an array. so I can not use directly this action results returned parameter as a parameter to insert to my action.

the only workaround I found is to add a code block that gets the datapath-parameter as input, and outputs the value_name[0].


is there a better workaround for this?

 

Labels (1)
0 Karma

UnifiedSubtly
New Member

I'm struggling to find a solution to this too. I've got a format block to grab out 5 values from the haveibeenpwned API and one is always returned as an array.

From there, have a format block to cycle through and create a markup table:

UnifiedSubtly_0-1709119922582.png

Just trying to get the "Data Compromised" table to appear as a string without the any of the [ ' ] symbols.

 

0 Karma

jenniandthebets
Explorer

Before you format your table, you'll need to take your return value in the array and convert it to a string. You will need to do some custom code for this.

The beauty of SOAR is that you're able to throw in some python code to manipulate the data in whatever way you want it to.

0 Karma

jenniandthebets
Explorer

You're definitely on the right track with your method - you wouldn't actually need to add in the custom code block for this, you can just add it into the commented section of your action block. Depending on your use cases and if it's something you expect to need to do often, it might warrant a custom function. 

An alternative, if you're only ever expecting a single value returned in that list, could be to use the format blocks, but it's definitely not as clean a solution there.

If you haven't read through it yet, this was a super helpful link in the documentation to help jumpstart my overall SOAR knowledge - https://docs.splunk.com/Documentation/SOAR/current/PlaybookAPI/Datapaths

Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...