Splunk SOAR

How to pass data between actions

GeorgeOrwell
Explorer

I have two actions linked together.
The first one is a block with custom code where I want to list all of the files inside directory using  `os.listdirs()` 
The second one is decision block. 
I would like to be able to pass the result of the first block into the second. 
How can I go about it?

Labels (2)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@GeorgeOrwell that's so v3.5 😉

Code blocks (legacy custom functions) were introduced so we didn't have to "butcher" existing blocks 😄 This was the bane of my life as a PS-er until they gave us code blocks 🙂 

I would move your code/capability to the Code Block at a minimum otherwise you will need to use the old method of saving and retrieving data, which is clunky at best, using "save_object/get_object":  

https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlaybookAPI/DataManagementAPI#save_object 

 

View solution in original post

phanTom
SplunkTrust
SplunkTrust

@GeorgeOrwell no as it doesn't work like that and this would be a lot of custom code that would break the blocks (except code blocks & custom functions). 

A code block or custom function is by far the best solution to your issue. 

Best practise would be to build an app with a `list directories` action as this is scalable and extendable and you would then be able to use the outputted datapath in a decision with no issues at all. 

phanTom
SplunkTrust
SplunkTrust

@GeorgeOrwell in either custom code elements (code block/custom function) you can set up to 10 outputs. 

When you set an output on a Code Block you will see that it will be added to the code of the block:

<function_name>__<output_name> = None

In the code you simply need to build what you want to pass out, assign it to the above variable and then you should be able to select/use the output downstream in the decision. Be aware though that decisions have limited capability when it comes to list items in that it only really works with `in` and `not in` operators. 

If using a new custom function then simply map the list to one of the outputs configured in the settings and then make sure its all nested in the `outputs` variable at the end of the function and you should be able to use it in the decision. 

GeorgeOrwell
Explorer

What if I am not using Code Block nor Custom Function, but instead I have "Add note" action which I reworked completely?

0 Karma

phanTom
SplunkTrust
SplunkTrust

@GeorgeOrwell that's so v3.5 😉

Code blocks (legacy custom functions) were introduced so we didn't have to "butcher" existing blocks 😄 This was the bane of my life as a PS-er until they gave us code blocks 🙂 

I would move your code/capability to the Code Block at a minimum otherwise you will need to use the old method of saving and retrieving data, which is clunky at best, using "save_object/get_object":  

https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlaybookAPI/DataManagementAPI#save_object 

 

GeorgeOrwell
Explorer

What about `phantom.save_run_data()`? Can we later access it by key from decision block without modifying it?

Say we have 
phantom.save_run_data(key='add_note_13:temp_var', value=json.dumps("Hello"))

Can we access "add_note_13:temp_var" in decision block?

0 Karma
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

&#x1f48c;Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...