Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SOAR - Only add to the list when the condition is met?

newsplunker1
Path Finder
‎02-20-2023 02:15 PM

Hi,

I have a list of hosts  that i want to check their status , so  I have created an if statement to filter out the ones that does not meet the if statement , then i have an action to ping on the ones that met the IF statement

ex: 

host1, host2,host3,host4

if host==host1 OR host == host4 

The next action would be  scan ONLY ( host1 , host4)

I have the playbook working with all actions but i just could not figure out the way how to only process the hosts that meet the IF condition 

Thanks 

 

Tags (1)
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎02-21-2023 01:27 AM

@Anonymous where is this IF statement?

Are you using it in a Code block with a python if statement, or are you using a decision/filter?

The best practise way to achieve what you want here is to use a decision and filter combination:

1. Decision has your if host = X OR host = Y Continue (Add an ELSE as another condition/out in the case of none matches)
2. Filter with the exact same config as the decision above
3. In the action block make sure to use the "filtered_data:<datapath to host value>" input and it should only pass through values that matched the filter condition.

If you are using a code block for your if statement then you need to add the values that pass to a python list, then output that from the code block to a format block setup like below:

%%
{0}
%%

0 = The code block output list

Then in the subsequent action use the "formatted_data.*" output for the action to loop through the contents of the list. 

The top way though it by far the best and simplest way to achieve what you want as code blocks should only be used for complicated data manipulation (Such as needing to do AND & OR in the same statement as decisions/filters can't do that).

-- If this helped solve your issue please mark as a solution! Happy SOARing! --

0 Karma
Reply

newsplunker1
Path Finder
‎02-23-2023 12:01 PM

@phanTom  Thanks for taking the time to look into this one for me 

 

So im using %% to loop through the list of host i want to scan/ping but my struglle i guess is how to output the result into a format/block where i can call it later on for other actions 

host 1 with index 1 and host 3 with index 3 pass the decision block so my next step is to only apply other actions on those ( host1/index1 , host3/index3 ) 

I hope i made this clearer than before 

 

Thanks 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...