Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter block not working when event does not contain an artifact

N_K
Loves-to-Learn
4 weeks ago

I have a playbook setup to run on all events in a 10minute_timer label using the Timer app. These events do not contain artifacts.

I've noticed the playbook runs fine when testing on a test_event that contains an artifact. When I moved it over to run on the timer label it dies when it gets to my filter block. I've also run the exact same playbook on an event in my test_label which also didn't contain an artifact and that too fails.

I've tested it without the filter block and used a decision instead, that works fine. Both blocks share the same Scope in the Advanced settings drop down. My conditions are fine in the filter block and should evaluate to True, I added a test condition on the label name to make sure of this and even that is not triggering. 

I think this may be a bug, I'm open to being wrong but not sure what else I can do to test it. 

 

Thanks

I believe this is a bug with SOAR. 

Labels (2)
0 Karma
Reply

marnall
Motivator
3 weeks ago

I would be interested if you find a "clean" way to make it work. I've had a scenario like this where the filter blocks would not work with artifact-less containers, yet I needed filters to handle the containers with and without artifacts.

My solution was to add a dummy artifact at the start of the playbook and then delete it near the end.

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
3 weeks ago

@marnall I think the cleanest way, until they fix it, would be to build a Custom Function that uses REST to check the for the <thing> you want and then output a boolean to then use downstream. 

At least the CF could be made re-usable for similar use cases. 

 

Reply

N_K
Loves-to-Learn
3 weeks ago

@marnall - Yes I thought about doing that myself, as you said it's not 'clean' though, we shouldn't really have to.

 

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...