Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to continue playbook (i.e. 'catch error') if an app action fails?

catherinelam
Explorer
‎07-19-2024 07:00 AM

I guess the question can be broad, but I am coming from the following scenario: I am using the Splunk app, which has been configured and connection tested successfully in SOAR. 

Recently, something happened that I did not expect - the credentials to Splunk were rejected and the action to "run query" returned with an expected message of: "Unauthorized Access (401)". But then the action terminated there and did not continue with the rest of the playbook. 

I have another app action for Ansible Tower to run a (Ansible) playbook (action name is "run job"), and if the Ansible playbook fails, the action in Splunk SOAR is marked as FAILED, but the SOAR playbook continues otherwise. I can't tell what the difference is between these two actions that allows one to continue, but the other to halt the SOAR playbook progression.

Any advice is appreciated. 🙂 

Labels (1)
Labels
0 Karma
Reply

SOARt_of_Lost
Path Finder
‎07-30-2024 07:41 AM

My first thought is that the blocks downstream from the ansible block don't require it to complete, while the blocks downstream from the splunk block do. To check on this:

  1. Click on all downstream blocks
  2. For each, open the advanced dropdown in the left panel
  3. See if the Join Settings require the ansible/splunk blocks
  4. If you don't want the block to be required, uncheck the box here

 

To directly answer your title question, you can build your own error handling by placing a decision block after the splunk block to check whether splunk_block:action_results:status returns success or failed. If you take this approach and have the different branches reconnect at any point, you'll have to check the join settings because they will automatically require the splunk block to have completed even if your playbook previously followed the "failed" path.

Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...