Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter block not working when event does not contain an artifact

N_K
Engager
‎10-21-2024 07:11 AM

I have a playbook setup to run on all events in a 10minute_timer label using the Timer app. These events do not contain artifacts.

I've noticed the playbook runs fine when testing on a test_event that contains an artifact. When I moved it over to run on the timer label it dies when it gets to my filter block. I've also run the exact same playbook on an event in my test_label which also didn't contain an artifact and that too fails.

I've tested it without the filter block and used a decision instead, that works fine. Both blocks share the same Scope in the Advanced settings drop down. My conditions are fine in the filter block and should evaluate to True, I added a test condition on the label name to make sure of this and even that is not triggering. 

I think this may be a bug, I'm open to being wrong but not sure what else I can do to test it. 

 

Thanks

I believe this is a bug with SOAR. 

Labels (2)
0 Karma
Reply

marnall
Motivator
‎10-21-2024 01:36 PM

I would be interested if you find a "clean" way to make it work. I've had a scenario like this where the filter blocks would not work with artifact-less containers, yet I needed filters to handle the containers with and without artifacts.

My solution was to add a dummy artifact at the start of the playbook and then delete it near the end.

0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎10-24-2024 09:03 AM

@marnall I think the cleanest way, until they fix it, would be to build a Custom Function that uses REST to check the for the <thing> you want and then output a boolean to then use downstream. 

At least the CF could be made re-usable for similar use cases. 

 

Reply

N_K
Engager
‎10-21-2024 11:34 PM

@marnall - Yes I thought about doing that myself, as you said it's not 'clean' though, we shouldn't really have to.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...