Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass data between actions

GeorgeOrwell
Explorer
‎07-18-2022 04:58 AM

I have two actions linked together.
The first one is a block with custom code where I want to list all of the files inside directory using  `os.listdirs()` 
The second one is decision block. 
I would like to be able to pass the result of the first block into the second. 
How can I go about it?

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎07-18-2022 06:38 AM

@GeorgeOrwell that's so v3.5 😉

Code blocks (legacy custom functions) were introduced so we didn't have to "butcher" existing blocks 😄 This was the bane of my life as a PS-er until they gave us code blocks 🙂 

I would move your code/capability to the Code Block at a minimum otherwise you will need to use the old method of saving and retrieving data, which is clunky at best, using "save_object/get_object":  

https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlaybookAPI/DataManagementAPI#save_object 

 

View solution in original post

Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎07-19-2022 03:51 AM

@GeorgeOrwell no as it doesn't work like that and this would be a lot of custom code that would break the blocks (except code blocks & custom functions). 

A code block or custom function is by far the best solution to your issue. 

Best practise would be to build an app with a `list directories` action as this is scalable and extendable and you would then be able to use the outputted datapath in a decision with no issues at all. 

Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎07-18-2022 05:41 AM

@GeorgeOrwell in either custom code elements (code block/custom function) you can set up to 10 outputs. 

When you set an output on a Code Block you will see that it will be added to the code of the block:

<function_name>__<output_name> = None

In the code you simply need to build what you want to pass out, assign it to the above variable and then you should be able to select/use the output downstream in the decision. Be aware though that decisions have limited capability when it comes to list items in that it only really works with `in` and `not in` operators. 

If using a new custom function then simply map the list to one of the outputs configured in the settings and then make sure its all nested in the `outputs` variable at the end of the function and you should be able to use it in the decision. 

Reply
Solved! Jump to solution

GeorgeOrwell
Explorer
‎07-18-2022 06:20 AM

What if I am not using Code Block nor Custom Function, but instead I have "Add note" action which I reworked completely?

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎07-18-2022 06:38 AM

@GeorgeOrwell that's so v3.5 😉

Code blocks (legacy custom functions) were introduced so we didn't have to "butcher" existing blocks 😄 This was the bane of my life as a PS-er until they gave us code blocks 🙂 

I would move your code/capability to the Code Block at a minimum otherwise you will need to use the old method of saving and retrieving data, which is clunky at best, using "save_object/get_object":  

https://docs.splunk.com/Documentation/SOARonprem/5.3.2/PlaybookAPI/DataManagementAPI#save_object 

 

Reply
Solved! Jump to solution

GeorgeOrwell
Explorer
‎07-19-2022 03:46 AM

What about `phantom.save_run_data()`? Can we later access it by key from decision block without modifying it?

Say we have 
phantom.save_run_data(key='add_note_13:temp_var', value=json.dumps("Hello"))

Can we access "add_note_13:temp_var" in decision block?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...