Splunk SOAR (f.k.a. Phantom)

Action Run Splunk Query Issues

wilcompl1334
Explorer

I'm running into an issue where I have multiple artifacts that are being submitted as a Splunk query. Below is my current workflow:

  1. Extract domains from URL
  2. Format Splunk query as such: '|inputlookup someCSV.csv | search domain={0}'
  3. Run Splunk query

The issue lies in the Splunk query that is run appears to be appending the artifacts in a comma delimited list rather than individual queries:

  • query = | inputlookup someCSV.csv | search domain=domain1.com, domain2.com, domain3.com

When i'm expecting the following searches to be run:

  • query = | inputlookup someCSV.csv | search domain=domain1.com
  • query = | inputlookup someCSV.csv | search domain=domain2.com
  • query = | inputlookup someCSV.csv | search domain=domain3.com

Is there a way to construct this so each domain extracted is run in a separate Splunk query?

Labels (2)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@wilcompl1334 you will need to pass in the formatted_data.* output from the format block into the query field of the run_query action (as per the diagram).

Try selecting each option and watch the Code in the Playbook Editor tab for the change:
* If using formatted_data.* output the code has a for loop to add a single parameter for each item found in the formatted data output

* If using just formatted_data it passes in the list (built in the format block using %'s) as a single string parameter. 

So unless you are doing something custom I am not aware of, simply by using the %%{0}%% method in the format block and selecting the formatted_data.* datapath in the query field, Phantom will see each item in the list as a separate parameter and pass them individually into the run_query action.

Using the format block with the %%{0}%% in will create:
| inputlookup someCSV.csv | search domain=domain1.com
| inputlookup someCSV.csv | search domain=domain2.com
| inputlookup someCSV.csv | search domain=domain3.com

 
If you pass it in as just formatted_data then the code will look like this:

# build parameters list for 'run_query_1' call
parameters.append({
    'command': "search",
    'query': formatted_data_1,
    'display': "",
    'parse_only': "",
})

However if you use the formatted_data.* it will/should change to this:
# build parameters list for 'run_query_1' call
for formatted_part_1 in formatted_data_1:
    parameters.append({
        'command': "search",
        'query': formatted_part_1,
        'display': "",
        'parse_only': "",
})

I am 100% sure, again unless you are doing something custom I am not aware of, this will work for you. 

View solution in original post

jesuamal
Loves-to-Learn Everything

Hi

I am currently working on a similar task that passing the formatted block value to Splunk query to get an out put required for the next action.  My search query

 |inputlookup agentid.csv | search hostname=hostname1| fields agentid

My format block configured as below,

Template

{0}

Template Parameters

0 = get_variables_2:action_result.data.*.Computer ID

 

Can you please advise me how to pass this computer ID to my Splunk query as  mentioned above?

 

 

 

 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@wilcompl1334 you will need to pass in the formatted_data.* output from the format block into the query field of the run_query action (as per the diagram).

Try selecting each option and watch the Code in the Playbook Editor tab for the change:
* If using formatted_data.* output the code has a for loop to add a single parameter for each item found in the formatted data output

* If using just formatted_data it passes in the list (built in the format block using %'s) as a single string parameter. 

So unless you are doing something custom I am not aware of, simply by using the %%{0}%% method in the format block and selecting the formatted_data.* datapath in the query field, Phantom will see each item in the list as a separate parameter and pass them individually into the run_query action.

Using the format block with the %%{0}%% in will create:
| inputlookup someCSV.csv | search domain=domain1.com
| inputlookup someCSV.csv | search domain=domain2.com
| inputlookup someCSV.csv | search domain=domain3.com

 
If you pass it in as just formatted_data then the code will look like this:

# build parameters list for 'run_query_1' call
parameters.append({
    'command': "search",
    'query': formatted_data_1,
    'display': "",
    'parse_only': "",
})

However if you use the formatted_data.* it will/should change to this:
# build parameters list for 'run_query_1' call
for formatted_part_1 in formatted_data_1:
    parameters.append({
        'command': "search",
        'query': formatted_part_1,
        'display': "",
        'parse_only': "",
})

I am 100% sure, again unless you are doing something custom I am not aware of, this will work for you. 

wilcompl1334
Explorer

@phanTomThanks for the help with this, on going question as I'm now seeing the query that is passed actually formatted as such:

  • query: "| inputlookup someCSV.csv | search domain=domain1.com | inputlookup someCSV.csv | search domain=domain2.com | inputlookup someCSV.csv | search domain=domain3.com"

Rather than individual queries, it appears it's formatted these all as a single, chained query, and passed it off to Splunk.

I'm not at the terminal any longer, but do I need to loop the run_query block as well with the output of formatted_data.* by doing the same for the input of run_query:

 

%%

{0}

%%

 

 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@wilcompl1334 

I can see you are using a format block due to the {0} item so this is a nice simple one 😄

If you wrap your format content like  this and use the formatted_data.* output in the run_query block:

%%
|inputlookup someCSV.csv | search domain={0}
%%

You should see in the run_query that Phantom builds the for loop based on the formatted_data.* being recognised as a list object. Without the formatted_data.* it will dump all 3 as a single string. 

If this helps please mark as so, or ask for more assistance.

phanTom

 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...