Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filter block not working when event does not contain an artifact

N_K
Engager
‎10-21-2024 07:11 AM

I have a playbook setup to run on all events in a 10minute_timer label using the Timer app. These events do not contain artifacts.

I've noticed the playbook runs fine when testing on a test_event that contains an artifact. When I moved it over to run on the timer label it dies when it gets to my filter block. I've also run the exact same playbook on an event in my test_label which also didn't contain an artifact and that too fails.

I've tested it without the filter block and used a decision instead, that works fine. Both blocks share the same Scope in the Advanced settings drop down. My conditions are fine in the filter block and should evaluate to True, I added a test condition on the label name to make sure of this and even that is not triggering. 

I think this may be a bug, I'm open to being wrong but not sure what else I can do to test it. 

 

Thanks

I believe this is a bug with SOAR. 

Labels (2)
0 Karma
Reply

marnall
Motivator
‎10-21-2024 01:36 PM

I would be interested if you find a "clean" way to make it work. I've had a scenario like this where the filter blocks would not work with artifact-less containers, yet I needed filters to handle the containers with and without artifacts.

My solution was to add a dummy artifact at the start of the playbook and then delete it near the end.

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎10-24-2024 09:03 AM

@marnall I think the cleanest way, until they fix it, would be to build a Custom Function that uses REST to check the for the <thing> you want and then output a boolean to then use downstream. 

At least the CF could be made re-usable for similar use cases. 

 

Reply

N_K
Engager
‎10-21-2024 11:34 PM

@marnall - Yes I thought about doing that myself, as you said it's not 'clean' though, we shouldn't really have to.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...