Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to pass data between actions

GeorgeOrwell
Explorer
‎07-18-2022 04:58 AM

I have two actions linked together.
The first one is a block with custom code where I want to list all of the files inside directory using  `os.listdirs()` 
The second one is decision block. 
I would like to be able to pass the result of the first block into the second. 
How can I go about it?

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎07-18-2022 06:38 AM

@GeorgeOrwell that's so v3.5 😉

Code blocks (legacy custom functions) were introduced so we didn't have to "butcher" existing blocks 😄 This was the bane of my life as a PS-er until they gave us code blocks 🙂 

I would move your code/capability to the Code Block at a minimum otherwise you will need to use the old method of saving and retrieving data, which is clunky at best, using "save_object/get_object":  

https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlaybookAPI/DataManagementAPI#save_object 

 

-- Hope this helps, if so consider leaving some Karma. Even better is if this fixed your issue, that you mark as a solution for others to find. Happy SOARing!! ---

View solution in original post

Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎07-19-2022 03:51 AM

@GeorgeOrwell no as it doesn't work like that and this would be a lot of custom code that would break the blocks (except code blocks & custom functions). 

A code block or custom function is by far the best solution to your issue. 

Best practise would be to build an app with a `list directories` action as this is scalable and extendable and you would then be able to use the outputted datapath in a decision with no issues at all. 

-- Hope this helps, if so consider leaving some Karma. Even better is if this fixed your issue, that you mark as a solution for others to find. Happy SOARing!! ---
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎07-18-2022 05:41 AM

@GeorgeOrwell in either custom code elements (code block/custom function) you can set up to 10 outputs. 

When you set an output on a Code Block you will see that it will be added to the code of the block:

<function_name>__<output_name> = None

In the code you simply need to build what you want to pass out, assign it to the above variable and then you should be able to select/use the output downstream in the decision. Be aware though that decisions have limited capability when it comes to list items in that it only really works with `in` and `not in` operators. 

If using a new custom function then simply map the list to one of the outputs configured in the settings and then make sure its all nested in the `outputs` variable at the end of the function and you should be able to use it in the decision. 

-- Hope this helps, if so consider leaving some Karma. Even better is if this fixed your issue, that you mark as a solution for others to find. Happy SOARing!! ---
Reply
Solved! Jump to solution

GeorgeOrwell
Explorer
‎07-18-2022 06:20 AM

What if I am not using Code Block nor Custom Function, but instead I have "Add note" action which I reworked completely?

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎07-18-2022 06:38 AM

@GeorgeOrwell that's so v3.5 😉

Code blocks (legacy custom functions) were introduced so we didn't have to "butcher" existing blocks 😄 This was the bane of my life as a PS-er until they gave us code blocks 🙂 

I would move your code/capability to the Code Block at a minimum otherwise you will need to use the old method of saving and retrieving data, which is clunky at best, using "save_object/get_object":  

https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlaybookAPI/DataManagementAPI#save_object 

 

-- Hope this helps, if so consider leaving some Karma. Even better is if this fixed your issue, that you mark as a solution for others to find. Happy SOARing!! ---
Reply
Solved! Jump to solution

GeorgeOrwell
Explorer
‎07-19-2022 03:46 AM

What about `phantom.save_run_data()`? Can we later access it by key from decision block without modifying it?

Say we have 
phantom.save_run_data(key='add_note_13:temp_var', value=json.dumps("Hello"))

Can we access "add_note_13:temp_var" in decision block?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader    Mika Borner, CEO and Founder of Datapunctum AG, has been ...

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...