Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Change parameter dynamically In playbook

meshorer
Path Finder
‎11-01-2023 05:31 AM

Hi,

during a playbook, 

I would like to check a parameter with a condition, and if the condition result true, I would like to use that parameter. But if the condition result is false, I would then use a different parameter.

is there a way to do that without duplicating a lot of blocks? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎11-01-2023 07:38 AM

@meshorer when you join 2 or more lines to a block it creates a join that by default will wait for all connected blocks to complete. 

If you open the code block settings and expand the Advanced drop-down you should see some tick boxes. As long as the 2 block prior could only ever go down 1 route then you can untick all boxes and it should work. 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎11-01-2023 05:54 AM

@meshorer is the value you would use when NOT true hardcoded or from other information in the event/artifact?

I think for this you might be best to use a Code Block / Custom Function to have a single output and do all the checking in code based on the inputted value(s). 

-- Happy SOARing! --

0 Karma
Reply
Solved! Jump to solution

meshorer
Path Finder
‎11-01-2023 06:50 AM

Thank you, @phanTom 

a code block to check it and then outputs the relevant parameter did it.

but now I have another problem- when I  try to connect two blocks that are separated with a decision block, to the same prompt block or decision block, it doesn’t work.

for one case it goes well, but for the second case the debug shows “join_ <block name> called”, but the playbook ends there.

Why does it happen?

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎11-01-2023 07:38 AM

@meshorer when you join 2 or more lines to a block it creates a join that by default will wait for all connected blocks to complete. 

If you open the code block settings and expand the Advanced drop-down you should see some tick boxes. As long as the 2 block prior could only ever go down 1 route then you can untick all boxes and it should work. 

0 Karma
Reply
Solved! Jump to solution

meshorer
Path Finder
‎11-01-2023 10:22 AM

@phanTom 

you are a genius! 

thank you very much

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...