Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SOAR - Only add to the list when the condition is met?

newsplunker1
Path Finder
‎02-20-2023 02:15 PM

Hi,

I have a list of hosts  that i want to check their status , so  I have created an if statement to filter out the ones that does not meet the if statement , then i have an action to ping on the ones that met the IF statement

ex: 

host1, host2,host3,host4

if host==host1 OR host == host4 

The next action would be  scan ONLY ( host1 , host4)

I have the playbook working with all actions but i just could not figure out the way how to only process the hosts that meet the IF condition 

Thanks 

 

Tags (1)
0 Karma
Reply

phanTom_old
SplunkTrust
SplunkTrust
‎02-21-2023 01:27 AM

@Anonymous where is this IF statement?

Are you using it in a Code block with a python if statement, or are you using a decision/filter?

The best practise way to achieve what you want here is to use a decision and filter combination:

1. Decision has your if host = X OR host = Y Continue (Add an ELSE as another condition/out in the case of none matches)
2. Filter with the exact same config as the decision above
3. In the action block make sure to use the "filtered_data:<datapath to host value>" input and it should only pass through values that matched the filter condition.

If you are using a code block for your if statement then you need to add the values that pass to a python list, then output that from the code block to a format block setup like below:

%%
{0}
%%

0 = The code block output list

Then in the subsequent action use the "formatted_data.*" output for the action to loop through the contents of the list. 

The top way though it by far the best and simplest way to achieve what you want as code blocks should only be used for complicated data manipulation (Such as needing to do AND & OR in the same statement as decisions/filters can't do that).

-- If this helped solve your issue please mark as a solution! Happy SOARing! --

0 Karma
Reply

newsplunker1
Path Finder
‎02-23-2023 12:01 PM

@phanTom_old  Thanks for taking the time to look into this one for me 

 

So im using %% to loop through the list of host i want to scan/ping but my struglle i guess is how to output the result into a format/block where i can call it later on for other actions 

host 1 with index 1 and host 3 with index 3 pass the decision block so my next step is to only apply other actions on those ( host1/index1 , host3/index3 ) 

I hope i made this clearer than before 

 

Thanks 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...