Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

get datapath variable as a string rather then a list

meshorer
Path Finder
‎02-13-2024 09:46 AM

hello all,

I have an app that to perform an action I cant insert the required parameter as a list. but as a string.
this is a bit issue because I am using data value from action results as the parameter to insert, for example: 
"my_App_action:action_result.data.*.device_id"
and as far as I understand, action_result.data collection is always an array. so I can not use directly this action results returned parameter as a parameter to insert to my action.

the only workaround I found is to add a code block that gets the datapath-parameter as input, and outputs the value_name[0].


is there a better workaround for this?

 

Labels (1)
Labels
0 Karma
Reply

UnifiedSubtly
New Member
‎02-28-2024 03:29 AM

I'm struggling to find a solution to this too. I've got a format block to grab out 5 values from the haveibeenpwned API and one is always returned as an array.

From there, have a format block to cycle through and create a markup table:

UnifiedSubtly_0-1709119922582.png

Just trying to get the "Data Compromised" table to appear as a string without the any of the [ ' ] symbols.

 

0 Karma
Reply

jenniandthebets
Explorer
‎02-28-2024 06:59 AM

Before you format your table, you'll need to take your return value in the array and convert it to a string. You will need to do some custom code for this.

The beauty of SOAR is that you're able to throw in some python code to manipulate the data in whatever way you want it to.

0 Karma
Reply

jenniandthebets
Explorer
‎02-15-2024 08:24 AM

You're definitely on the right track with your method - you wouldn't actually need to add in the custom code block for this, you can just add it into the commented section of your action block. Depending on your use cases and if it's something you expect to need to do often, it might warrant a custom function. 

An alternative, if you're only ever expecting a single value returned in that list, could be to use the format blocks, but it's definitely not as clean a solution there.

If you haven't read through it yet, this was a super helpful link in the documentation to help jumpstart my overall SOAR knowledge - https://docs.splunk.com/Documentation/SOAR/current/PlaybookAPI/Datapaths

Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top