Splunk SOAR
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Premium Solutions
- :
- Splunk SOAR
- :
- SOAR101 question regarding passing variables
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NuttyBrown
Engager
a month ago
Just getting started with SOAR and I am encountering a scenario where I obviously don't understand the concept enough. I could use a push in the right direction to understand how I'm supposed to pass output from a Splunk action block to a decision or utility block. Logic is as follows:
1. We utilize a Splunk -- Timer asset to schedule execution of playbook at certain time
2. First block is a Splunk query action block; basic SPL is
index=custom_index usernames=* | table usernames, emailAddresses, userScore3. I want to pass the usernames to a decision block, and this is where I get lost. I see event choices, and CEF fields, etc. as options, but nothing explicitly stated for "usernames". Am I supposed to custom code a solution using action_result.data, and if so, can I get a hint on how to do so? (this wasn't covered in my creating playbooks course)
Thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
livehybrid
Super Champion
4 weeks ago
Hi
To pass the usernames field from your Splunk action block to a decision or utility block in SOAR, use the custom output paths from the action result.
In the decision block, reference the field as action_result.data.*.usernames.
The Splunk action block returns results as a list of dictionaries under action_result.data.
The .*. wildcard iterates over each result, accessing the usernames field from each row.
Field names are case-sensitive and must match exactly as returned by your SPL.
If your SPL returns multiple rows, the path will return a list of values.
The following docs pages may also be useful:
https://docs.splunk.com/Documentation/SOAR/current/Playbook/SpecifyData
https://docs.splunk.com/Documentation/SOAR/current/DevelopApps/DataPath
https://docs.splunk.com/Documentation/Phantom/4.10.7/PlaybookAPI/Datapaths
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
livehybrid
Super Champion
4 weeks ago
Hi
To pass the usernames field from your Splunk action block to a decision or utility block in SOAR, use the custom output paths from the action result.
In the decision block, reference the field as action_result.data.*.usernames.
The Splunk action block returns results as a list of dictionaries under action_result.data.
The .*. wildcard iterates over each result, accessing the usernames field from each row.
Field names are case-sensitive and must match exactly as returned by your SPL.
If your SPL returns multiple rows, the path will return a list of values.
The following docs pages may also be useful:
https://docs.splunk.com/Documentation/SOAR/current/Playbook/SpecifyData
https://docs.splunk.com/Documentation/SOAR/current/DevelopApps/DataPath
https://docs.splunk.com/Documentation/Phantom/4.10.7/PlaybookAPI/Datapaths
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
Get Updates on the Splunk Community!
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Splunk App Dev Community Updates – What’s New and What’s Next
Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...
The Latest Cisco Integrations With Splunk Platform!
Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
