Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Action Run Splunk Query Issues

wilcompl1334
Explorer
‎02-15-2021 08:00 AM

I'm running into an issue where I have multiple artifacts that are being submitted as a Splunk query. Below is my current workflow:

  1. Extract domains from URL
  2. Format Splunk query as such: '|inputlookup someCSV.csv | search domain={0}'
  3. Run Splunk query

The issue lies in the Splunk query that is run appears to be appending the artifacts in a comma delimited list rather than individual queries:

  • query = | inputlookup someCSV.csv | search domain=domain1.com, domain2.com, domain3.com

When i'm expecting the following searches to be run:

  • query = | inputlookup someCSV.csv | search domain=domain1.com
  • query = | inputlookup someCSV.csv | search domain=domain2.com
  • query = | inputlookup someCSV.csv | search domain=domain3.com

Is there a way to construct this so each domain extracted is run in a separate Splunk query?

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎02-16-2021 01:07 AM

@wilcompl1334 you will need to pass in the formatted_data.* output from the format block into the query field of the run_query action (as per the diagram).

Try selecting each option and watch the Code in the Playbook Editor tab for the change:
* If using formatted_data.* output the code has a for loop to add a single parameter for each item found in the formatted data output

* If using just formatted_data it passes in the list (built in the format block using %'s) as a single string parameter. 

So unless you are doing something custom I am not aware of, simply by using the %%{0}%% method in the format block and selecting the formatted_data.* datapath in the query field, Phantom will see each item in the list as a separate parameter and pass them individually into the run_query action.

Using the format block with the %%{0}%% in will create:
| inputlookup someCSV.csv | search domain=domain1.com
| inputlookup someCSV.csv | search domain=domain2.com
| inputlookup someCSV.csv | search domain=domain3.com
 
If you pass it in as just formatted_data then the code will look like this:

# build parameters list for 'run_query_1' call
parameters.append({
    'command': "search",
    'query': formatted_data_1,
    'display': "",
    'parse_only': "",
})

However if you use the formatted_data.* it will/should change to this:
# build parameters list for 'run_query_1' call
for formatted_part_1 in formatted_data_1:
    parameters.append({
        'command': "search",
        'query': formatted_part_1,
        'display': "",
        'parse_only': "",
})

I am 100% sure, again unless you are doing something custom I am not aware of, this will work for you. 

View solution in original post

Preview file
72 KB
Reply
Solved! Jump to solution

jesuamal
Loves-to-Learn Everything
‎03-16-2022 03:48 PM

Hi

I am currently working on a similar task that passing the formatted block value to Splunk query to get an out put required for the next action.  My search query

 |inputlookup agentid.csv | search hostname=hostname1| fields agentid

My format block configured as below,

Template

{0}

Template Parameters

0 = get_variables_2:action_result.data.*.Computer ID

 

Can you please advise me how to pass this computer ID to my Splunk query as  mentioned above?

 

 

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎02-16-2021 01:07 AM

@wilcompl1334 you will need to pass in the formatted_data.* output from the format block into the query field of the run_query action (as per the diagram).

Try selecting each option and watch the Code in the Playbook Editor tab for the change:
* If using formatted_data.* output the code has a for loop to add a single parameter for each item found in the formatted data output

* If using just formatted_data it passes in the list (built in the format block using %'s) as a single string parameter. 

So unless you are doing something custom I am not aware of, simply by using the %%{0}%% method in the format block and selecting the formatted_data.* datapath in the query field, Phantom will see each item in the list as a separate parameter and pass them individually into the run_query action.

Using the format block with the %%{0}%% in will create:
| inputlookup someCSV.csv | search domain=domain1.com
| inputlookup someCSV.csv | search domain=domain2.com
| inputlookup someCSV.csv | search domain=domain3.com
 
If you pass it in as just formatted_data then the code will look like this:

# build parameters list for 'run_query_1' call
parameters.append({
    'command': "search",
    'query': formatted_data_1,
    'display': "",
    'parse_only': "",
})

However if you use the formatted_data.* it will/should change to this:
# build parameters list for 'run_query_1' call
for formatted_part_1 in formatted_data_1:
    parameters.append({
        'command': "search",
        'query': formatted_part_1,
        'display': "",
        'parse_only': "",
})

I am 100% sure, again unless you are doing something custom I am not aware of, this will work for you. 

Preview file
72 KB
Reply
Solved! Jump to solution

wilcompl1334
Explorer
‎02-15-2021 02:13 PM

@phanTomThanks for the help with this, on going question as I'm now seeing the query that is passed actually formatted as such:

  • query: "| inputlookup someCSV.csv | search domain=domain1.com | inputlookup someCSV.csv | search domain=domain2.com | inputlookup someCSV.csv | search domain=domain3.com"

Rather than individual queries, it appears it's formatted these all as a single, chained query, and passed it off to Splunk.

I'm not at the terminal any longer, but do I need to loop the run_query block as well with the output of formatted_data.* by doing the same for the input of run_query:

 

%%

{0}

%%

 

 

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎02-15-2021 08:08 AM

@wilcompl1334 

I can see you are using a format block due to the {0} item so this is a nice simple one 😄

If you wrap your format content like  this and use the formatted_data.* output in the run_query block:

%%
|inputlookup someCSV.csv | search domain={0}
%%

You should see in the run_query that Phantom builds the for loop based on the formatted_data.* being recognised as a list object. Without the formatted_data.* it will dump all 3 as a single string. 

If this helps please mark as so, or ask for more assistance.

phanTom

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...