Splunk SOAR

Is there a way to try 'except' functionality with playbook?

nongingerale
Explorer

Fairly new to writing playbooks within Phantom and so far havent found documentation for this yet:
I'm trying to create an email notification (or something along those lines) whenever a playbook fails to complete for whatever reason (main fail case is if a splunk search fails/job dies). Basically almost like a try/except block but in Phantom. Has anyone found a way to incorporate this in phantom?

Labels (2)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@nongingerale this is something you need to build into your playbook(s). 

All actions have a 'status' output which can be used in a decision block which then checks for the success/failed output and if not success then route down a path to a 'send_email' action or input playbook. I would recommend input playbook so you can re-use for all failures in your automation. 

For checking playbook failures, rather than action failures, you would probably need to use REST to check `/rest/playbook_run` for any that have a status of failed on a schedule (use timer app) and then sends an email if more than 1 failure found. 

Hope this helps!

Happy SOARing!

View solution in original post

CS_
Path Finder

Yep - just like @phanTom  says - you can check the "status" output for an app action. I would do something like this:

CS__0-1674700162022.png

The decision checks the status of the Splunk "Run Query" app action, if successful; end, Else; send an email.

You can do stiff with "try/except" in regular codeblocks but to be honest they become  a pain to manage in larger playbooks.  I know when i started with playbooks, i had to try and unlearn how I'd do it in python, and think about it in terms of SOAR's playbook capabilities, but I am better off for it 😄

 

nongingerale
Explorer

that makes sense, thanks for the help!

0 Karma

phanTom
SplunkTrust
SplunkTrust

@nongingerale this is something you need to build into your playbook(s). 

All actions have a 'status' output which can be used in a decision block which then checks for the success/failed output and if not success then route down a path to a 'send_email' action or input playbook. I would recommend input playbook so you can re-use for all failures in your automation. 

For checking playbook failures, rather than action failures, you would probably need to use REST to check `/rest/playbook_run` for any that have a status of failed on a schedule (use timer app) and then sends an email if more than 1 failure found. 

Hope this helps!

Happy SOARing!

nongingerale
Explorer

thanks! appreciate the help

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...