Splunk SOAR

Is there a way to try 'except' functionality with playbook?

nongingerale
Explorer

Fairly new to writing playbooks within Phantom and so far havent found documentation for this yet:
I'm trying to create an email notification (or something along those lines) whenever a playbook fails to complete for whatever reason (main fail case is if a splunk search fails/job dies). Basically almost like a try/except block but in Phantom. Has anyone found a way to incorporate this in phantom?

Labels (2)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@nongingerale this is something you need to build into your playbook(s). 

All actions have a 'status' output which can be used in a decision block which then checks for the success/failed output and if not success then route down a path to a 'send_email' action or input playbook. I would recommend input playbook so you can re-use for all failures in your automation. 

For checking playbook failures, rather than action failures, you would probably need to use REST to check `/rest/playbook_run` for any that have a status of failed on a schedule (use timer app) and then sends an email if more than 1 failure found. 

Hope this helps!

Happy SOARing!

View solution in original post

CS_
Path Finder

Yep - just like @phanTom  says - you can check the "status" output for an app action. I would do something like this:

CS__0-1674700162022.png

The decision checks the status of the Splunk "Run Query" app action, if successful; end, Else; send an email.

You can do stiff with "try/except" in regular codeblocks but to be honest they become  a pain to manage in larger playbooks.  I know when i started with playbooks, i had to try and unlearn how I'd do it in python, and think about it in terms of SOAR's playbook capabilities, but I am better off for it 😄

 

nongingerale
Explorer

that makes sense, thanks for the help!

0 Karma

phanTom
SplunkTrust
SplunkTrust

@nongingerale this is something you need to build into your playbook(s). 

All actions have a 'status' output which can be used in a decision block which then checks for the success/failed output and if not success then route down a path to a 'send_email' action or input playbook. I would recommend input playbook so you can re-use for all failures in your automation. 

For checking playbook failures, rather than action failures, you would probably need to use REST to check `/rest/playbook_run` for any that have a status of failed on a schedule (use timer app) and then sends an email if more than 1 failure found. 

Hope this helps!

Happy SOARing!

nongingerale
Explorer

thanks! appreciate the help

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...