Splunk SOAR

How do you achieve "for" loops?

rivaanb
Engager

Hi,

We've been trying to use "for loop" logic within playbook app actions. Although, there seems to be no way to achieve this out of the box.

Example, we use the action "get file" - this action only accepts one machine id at a time . We want to get multiple files via this action (for each item, send to "get file"), therafter send each file through a sub playbook and then return all outputs to a prompt in the main playbook with enrichment.

Labels (1)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@rivaanb 
SOAR already uses loops to build parameter lists to pass into actions. Once you understand how the platform passed information into and out of actions it's not too bad 😄 

It depends where you are getting the id's but, if you can build a list of id's to pass into 'get_file' in a Code Block, output them as a python list, then pass into a format block:
%%
{0}
%%

0 = your python list of id's

Then in the 'get_file' action use the '...formatted_data.*' output from the format block, you will see SOAR create a for loop and loop through each value, add it to a parameters list then call the action. 

I suspect the get_file will then just provide a vaultId for the file(s) it got. If so then you just need to pass those vaultId values to your input-playbook. 

The prompt is tricker and IMO If there is a lot of enrichment data I usually add note(s) to a task and then provide a "determination playbook" for the user to run once they have read and understood the note(s). This stops the automation hanging waiting for a prompt response and makes the system more efficient from my exp.

Happy SOARing - If this helped please mark as a solution or feel free to ask more questions. 

View solution in original post

phanTom
SplunkTrust
SplunkTrust

@rivaanb 
SOAR already uses loops to build parameter lists to pass into actions. Once you understand how the platform passed information into and out of actions it's not too bad 😄 

It depends where you are getting the id's but, if you can build a list of id's to pass into 'get_file' in a Code Block, output them as a python list, then pass into a format block:
%%
{0}
%%

0 = your python list of id's

Then in the 'get_file' action use the '...formatted_data.*' output from the format block, you will see SOAR create a for loop and loop through each value, add it to a parameters list then call the action. 

I suspect the get_file will then just provide a vaultId for the file(s) it got. If so then you just need to pass those vaultId values to your input-playbook. 

The prompt is tricker and IMO If there is a lot of enrichment data I usually add note(s) to a task and then provide a "determination playbook" for the user to run once they have read and understood the note(s). This stops the automation hanging waiting for a prompt response and makes the system more efficient from my exp.

Happy SOARing - If this helped please mark as a solution or feel free to ask more questions. 

Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...