Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Phantom Decision Filter

tbrown110
New Member
‎09-11-2020 08:04 AM

Hello,

I have a playbook that is currently in production and I don't want to randomly test it without asking the question first.  We have a condition that has to be met in order for our playbook to continue via an if / else  decision filter. This filter is based on whether or not an user is an Employee or Non-Employee.

However, we have other employee and non-employee types, example would be "Employee Executive".  With this, currently the operators are 

== Employee
OR

== Non-Employee

 

I'm wondering if the "in" option is more of a contains?  could I switch the operator values to just "in Employee", since the word Employee is in all string options we would want to evaluate to true on?  anything else is false and follows the else path. 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎09-16-2020 02:14 AM

@tbrown110  the 'is in' statement is a string match. For this case it would work as you described, if you put "Employee" is in "<datapath_value(s)>" then if there is any occurrence of the word employee in the data values (single or list) it will match as true.  The problem you may have is if the Non-Employees have the word 'Employee' in the data then it will still resolve to true and pass down the Employee route.

Please add a tick below if this answers your question. Thanks.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎09-16-2020 02:14 AM

@tbrown110  the 'is in' statement is a string match. For this case it would work as you described, if you put "Employee" is in "<datapath_value(s)>" then if there is any occurrence of the word employee in the data values (single or list) it will match as true.  The problem you may have is if the Non-Employees have the word 'Employee' in the data then it will still resolve to true and pass down the Employee route.

Please add a tick below if this answers your question. Thanks.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...