Splunk SOAR

Is there a way to try 'except' functionality with playbook?

nongingerale
Explorer

Fairly new to writing playbooks within Phantom and so far havent found documentation for this yet:
I'm trying to create an email notification (or something along those lines) whenever a playbook fails to complete for whatever reason (main fail case is if a splunk search fails/job dies). Basically almost like a try/except block but in Phantom. Has anyone found a way to incorporate this in phantom?

Labels (2)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@nongingerale this is something you need to build into your playbook(s). 

All actions have a 'status' output which can be used in a decision block which then checks for the success/failed output and if not success then route down a path to a 'send_email' action or input playbook. I would recommend input playbook so you can re-use for all failures in your automation. 

For checking playbook failures, rather than action failures, you would probably need to use REST to check `/rest/playbook_run` for any that have a status of failed on a schedule (use timer app) and then sends an email if more than 1 failure found. 

Hope this helps!

Happy SOARing!

View solution in original post

CS_
Path Finder

Yep - just like @phanTom  says - you can check the "status" output for an app action. I would do something like this:

CS__0-1674700162022.png

The decision checks the status of the Splunk "Run Query" app action, if successful; end, Else; send an email.

You can do stiff with "try/except" in regular codeblocks but to be honest they become  a pain to manage in larger playbooks.  I know when i started with playbooks, i had to try and unlearn how I'd do it in python, and think about it in terms of SOAR's playbook capabilities, but I am better off for it 😄

 

nongingerale
Explorer

that makes sense, thanks for the help!

0 Karma

phanTom
SplunkTrust
SplunkTrust

@nongingerale this is something you need to build into your playbook(s). 

All actions have a 'status' output which can be used in a decision block which then checks for the success/failed output and if not success then route down a path to a 'send_email' action or input playbook. I would recommend input playbook so you can re-use for all failures in your automation. 

For checking playbook failures, rather than action failures, you would probably need to use REST to check `/rest/playbook_run` for any that have a status of failed on a schedule (use timer app) and then sends an email if more than 1 failure found. 

Hope this helps!

Happy SOARing!

nongingerale
Explorer

thanks! appreciate the help

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...