Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass data between actions

GeorgeOrwell
Explorer
‎07-18-2022 04:58 AM

I have two actions linked together.
The first one is a block with custom code where I want to list all of the files inside directory using  `os.listdirs()` 
The second one is decision block. 
I would like to be able to pass the result of the first block into the second. 
How can I go about it?

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎07-18-2022 06:38 AM

@GeorgeOrwell that's so v3.5 😉

Code blocks (legacy custom functions) were introduced so we didn't have to "butcher" existing blocks 😄 This was the bane of my life as a PS-er until they gave us code blocks 🙂 

I would move your code/capability to the Code Block at a minimum otherwise you will need to use the old method of saving and retrieving data, which is clunky at best, using "save_object/get_object":  

https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlaybookAPI/DataManagementAPI#save_object 

 

View solution in original post

Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎07-19-2022 03:51 AM

@GeorgeOrwell no as it doesn't work like that and this would be a lot of custom code that would break the blocks (except code blocks & custom functions). 

A code block or custom function is by far the best solution to your issue. 

Best practise would be to build an app with a `list directories` action as this is scalable and extendable and you would then be able to use the outputted datapath in a decision with no issues at all. 

Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎07-18-2022 05:41 AM

@GeorgeOrwell in either custom code elements (code block/custom function) you can set up to 10 outputs. 

When you set an output on a Code Block you will see that it will be added to the code of the block:

<function_name>__<output_name> = None

In the code you simply need to build what you want to pass out, assign it to the above variable and then you should be able to select/use the output downstream in the decision. Be aware though that decisions have limited capability when it comes to list items in that it only really works with `in` and `not in` operators. 

If using a new custom function then simply map the list to one of the outputs configured in the settings and then make sure its all nested in the `outputs` variable at the end of the function and you should be able to use it in the decision. 

Reply
Solved! Jump to solution

GeorgeOrwell
Explorer
‎07-18-2022 06:20 AM

What if I am not using Code Block nor Custom Function, but instead I have "Add note" action which I reworked completely?

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎07-18-2022 06:38 AM

@GeorgeOrwell that's so v3.5 😉

Code blocks (legacy custom functions) were introduced so we didn't have to "butcher" existing blocks 😄 This was the bane of my life as a PS-er until they gave us code blocks 🙂 

I would move your code/capability to the Code Block at a minimum otherwise you will need to use the old method of saving and retrieving data, which is clunky at best, using "save_object/get_object":  

https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlaybookAPI/DataManagementAPI#save_object 

 

Reply
Solved! Jump to solution

GeorgeOrwell
Explorer
‎07-19-2022 03:46 AM

What about `phantom.save_run_data()`? Can we later access it by key from decision block without modifying it?

Say we have 
phantom.save_run_data(key='add_note_13:temp_var', value=json.dumps("Hello"))

Can we access "add_note_13:temp_var" in decision block?

0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...