Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter block not working when event does not contain an artifact

N_K
Loves-to-Learn
‎10-21-2024 07:11 AM

I have a playbook setup to run on all events in a 10minute_timer label using the Timer app. These events do not contain artifacts.

I've noticed the playbook runs fine when testing on a test_event that contains an artifact. When I moved it over to run on the timer label it dies when it gets to my filter block. I've also run the exact same playbook on an event in my test_label which also didn't contain an artifact and that too fails.

I've tested it without the filter block and used a decision instead, that works fine. Both blocks share the same Scope in the Advanced settings drop down. My conditions are fine in the filter block and should evaluate to True, I added a test condition on the label name to make sure of this and even that is not triggering. 

I think this may be a bug, I'm open to being wrong but not sure what else I can do to test it. 

 

Thanks

I believe this is a bug with SOAR. 

Labels (2)
0 Karma
Reply

marnall
Motivator
‎10-21-2024 01:36 PM

I would be interested if you find a "clean" way to make it work. I've had a scenario like this where the filter blocks would not work with artifact-less containers, yet I needed filters to handle the containers with and without artifacts.

My solution was to add a dummy artifact at the start of the playbook and then delete it near the end.

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎10-24-2024 09:03 AM

@marnall I think the cleanest way, until they fix it, would be to build a Custom Function that uses REST to check the for the <thing> you want and then output a boolean to then use downstream. 

At least the CF could be made re-usable for similar use cases. 

 

Reply

N_K
Loves-to-Learn
‎10-21-2024 11:34 PM

@marnall - Yes I thought about doing that myself, as you said it's not 'clean' though, we shouldn't really have to.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...