Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

result from value field in playbook is none

ASEP
Engager
‎06-02-2025 01:21 AM

hai, i have a problem with field in playbook 

I’m building a SOAR playbook to check network traffic to Active Directory Web Services, and I’m stuck on one field

My Objective:

Use a Run Query action in SOAR to pull additional_action, If additional_action contains “teardown,” route the playbook down a specific branch.

 tstats summariesonly=true fillnull_value="unknown" 
  values(All_Traffic.src) as src
  values(All_Traffic.dest) as dest  
  values(All_Traffic.additional_action) as additional_action
  values(All_Traffic.status_action) as status_action
  values(All_Traffic.app) as app
  count 
  from datamodel="Network_Traffic"."All_Traffic" 
  WHERE (All_Traffic.src_ip IN ({0})) 
    AND (All_Traffic.dest_ip IN ({1})) 
    AND (All_Traffic.dest_port="{2}") 
  by All_Traffic.session_id
| nomv additional_action

ASEP_0-1748851963608.png

if I use the query there is a teardown result

ASEP_1-1748852014748.png

i have added field additional_action 

ASEP_2-1748852216356.png

but the result from playbook is Parameter: {"comment":"Protocol value None , mohon untuk dilakukan analisa kembali.  

is there any way to solve this problem 

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎06-02-2025 01:27 AM

Hi @ASEP 

The field value from a "Run Query" action in a Splunk SOAR playbook needs to be accessed from the list of results returned by the action. Simply adding the field name under "Fields to add to output" makes the field available, but you still need to reference the correct result object.

The Run Query action typically returns a list of results in the results.data attribute of the action's output. You need to access the specific result you are interested in (e.g., the first one) and then the field within that result.

Assuming your "Run Query" action is named your_action_name, you can access the additional_action field from the first result using templating like this:

{{ your_action_name.results.data[0].additional_action }}

 

You can then use this value in subsequent playbook logic, such as a decision block to check if it contains "teardown".

The Run Query action returns a list of result objects in action_name.results.data. Each object in this list corresponds to a row returned by your Splunk query. You access elements in the list using square brackets [index] and fields within an object using dot notation .field_name.

Check if the results.data list is not empty before attempting to access elements by index (like [0]) to prevent errors or None values if the query returns no results. I think you should be able to use {% if your_action_name.results.data %} block for this.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...