Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to continue playbook (i.e. 'catch error') if an app action fails?

catherinelam
Explorer
‎07-19-2024 07:00 AM

I guess the question can be broad, but I am coming from the following scenario: I am using the Splunk app, which has been configured and connection tested successfully in SOAR. 

Recently, something happened that I did not expect - the credentials to Splunk were rejected and the action to "run query" returned with an expected message of: "Unauthorized Access (401)". But then the action terminated there and did not continue with the rest of the playbook. 

I have another app action for Ansible Tower to run a (Ansible) playbook (action name is "run job"), and if the Ansible playbook fails, the action in Splunk SOAR is marked as FAILED, but the SOAR playbook continues otherwise. I can't tell what the difference is between these two actions that allows one to continue, but the other to halt the SOAR playbook progression.

Any advice is appreciated. 🙂 

Labels (1)
Labels
0 Karma
Reply

SOARt_of_Lost
Path Finder
‎07-30-2024 07:41 AM

My first thought is that the blocks downstream from the ansible block don't require it to complete, while the blocks downstream from the splunk block do. To check on this:

  1. Click on all downstream blocks
  2. For each, open the advanced dropdown in the left panel
  3. See if the Join Settings require the ansible/splunk blocks
  4. If you don't want the block to be required, uncheck the box here

 

To directly answer your title question, you can build your own error handling by placing a decision block after the splunk block to check whether splunk_block:action_results:status returns success or failed. If you take this approach and have the different branches reconnect at any point, you'll have to check the join settings because they will automatically require the splunk block to have completed even if your playbook previously followed the "failed" path.

Reply
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...