Community Blog
Get the latest updates on the Splunk Community, including member experiences, product education, events, and more!
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Article

Splunk Answers Content Calendar, July Edition I

Anam
Community Manager
Community Manager
2 weeks ago

Hello Community!

Welcome to another month of Community Content Calendar series! For the month of July, we will be focusing on Splunk & Cisco SOAR. As usual we will be highlighting contributions from our awesome users.

Our contributors who are highlighted for providing a solution will be given a $25 Cisco Store gift card for their knowledge & expertise.  

How to Pass Variables from a Splunk Action Block to a Decision Block in Cisco SOAR Playbooks

When you’re just getting started with Cisco SOAR and building playbooks, one common challenge is understanding how to pass data between different blocks. A typical scenario is retrieving data from a Splunk query action block and then using that data in a decision or utility block. In this blog, we’ll walk through how to pass usernames returned by a Splunk action block to a decision block without needing custom code.

The Problem: Understanding the Splunk Action Block Output

Our user @NuttyBrown brought this to attention; Imagine you have a playbook triggered by a Splunk Timer asset that schedules execution at a specific time. The first block in your playbook runs a Splunk query using SPL (Search Processing Language) to retrieve usernames. Your goal is to pass these usernames to a decision block to make further logical choices.

The Splunk action block returns its results as a list of dictionaries under the variable action_result.data. Each dictionary corresponds to a row of data returned by your SPL query. For example, if your SPL query returns multiple usernames, each username will be in a separate dictionary within this list.

The Solution: Reference Usernames in the Decision Block

A great solution was provided by our very own Splunk expert, @livehybrid!

When your Splunk query runs, it gathers a lot of valuable data. The key challenge is often how to pinpoint just the usernames from that data and make them accessible for your next automated action.

Here’s how @livehybridcracked it:

Instead of diving deep into complex coding, the solution involves guiding your automation to the exact spot where the usernames are stored. Think of it like giving your system a precise address within the data it just received.

Your automation needs to know three things to pull this off:

Where to look: It needs to access the overall results that your Splunk query just delivered.

How to find them all: There's a clever way to tell the system to scan every single entry in those results, ensuring no username is missed. This acts like a universal search command, making sure your automation sifts through all the relevant information.

What they're called: You need to specify the exact name of the field (or column) where the usernames are listed in your Splunk output. For example, if your Splunk query calls it usernames, then that's precisely what your automation needs to look for. (Just a quick note: it's case-sensitive, so usernames is different from Usernames!)

By setting up this clear pathway, your automation can effortlessly extract a complete list of all the usernames returned by your Splunk query. This makes them immediately available for further actions, streamlining your processes and saving you valuable time!

Check out our Tech Talks on “What’s New with Splunk SOAR

(view in My Videos)

Passing User-Defined Variables to Action Blocks in Cisco SOAR: A Debugging Deep Dive

When you're new to Cisco SOAR, one of the first hurdles you might encounter is understanding how to correctly pass user-defined variables from a custom Python code block to a subsequent action block, like a Splunk action block. It's a common scenario: you've written your Python code, confirmed the variable is set correctly with debug statements, and exported it. Yet, when you try to use it in the next block, its value mysteriously appears as None. What gives?

The Problem: Variable Appears as 'None'

Let's set the scene:

You've created a custom Python code block in your Cisco SOAR playbook. Inside this block, you're performing some logic, perhaps extracting an IP address, and storing it in a variable, say extracted_ip_1. You've used debug print statements and confirmed that extracted_ip_1 holds the correct value within your custom code.

Your next step is to pass this extracted_ip_1 to a Splunk action block. You've configured the Splunk action block to import this variable. However, when the playbook runs, the Splunk action block receives None for that variable. The frustrating part?

@ma620k brought this issue to light that System variables (like those from an "extract IP" utility) pass through just fine.

There are no explicit error messages indicating a problem.

The root cause is a mismatch in Variable Handling. The core of the problem lies in a subtle but critical detail of how variables are saved and referenced within custom code blocks using phantom.save_run_data() and how they are subsequently referenced.

The Solution: Precision is Key

As user @marnall  wisely pointed out, you might be setting a variable (like extracted_ip_1) perfectly within your Python function. However, when you use the phantom.save_run_data() command to make that variable available to other parts of your playbook, you might accidentally be telling SOAR to save a different variable name, one that was never actually assigned a value. This results in the variable appearing as None in subsequent blocks.

@marnall also highlighted another common pitfall: simple typos in the data path. When you tell a later action block where to find the variable from your custom code, a single incorrect character in the path (e.g., customer_function instead of custom_function) can cause the variable to not be found, again leading to a None value without any clear error message.

To fix these issues, you need to be very precise:

Ensure You Save the Correct Variable: When using the phantom.save_run_data() command in your custom Python code, double-check that the variable you're telling it to save is the exact one that holds your desired value. Don't let a naming convention or a copy-paste error cause you to save an unassigned variable.

Verify Your Data Path for Typos: Always meticulously check the input data path in the subsequent action block where you're trying to use the variable. Make sure the name of your custom code block and the variable name within that path are spelled perfectly. Even a tiny typo can prevent SOAR from locating the variable, making it appear as None.

As always our dedicated contributors on Splunk Answers are rockstars! Thanks to @livehybrid and @marnall. Your willingness to share expertise, debug complex issues, and provide practical solutions is invaluable. The collective knowledge and collaborative spirit of the community significantly empowers our users. Thank you for making a real difference!

Looking to deepen your knowledge? Check out this course from Splunk Education Developing Splunk SOAR Playbooks in the Visual Playbook Editor. Register here and here is the course description!

Screenshot 2025-07-01 at 3.59.09 PM.png

Would you like to feature more solutions like this?

Reach out @Anam Siddique on Slack in our Splunk Community Slack workspace to highlight your question, answer, or tip in an upcoming Community Content post!


💡 Our contributors who are highlighted for providing a solution will be given a $25 Cisco Store gift card for their contributions.  

Beyond Splunk Answers, the Splunk Community offers a wealth of valuable resources to deepen your knowledge and connect with other professionals!

Here are some great ways to get involved and expand your Splunk expertise:

  • Role-Based Learning Paths: Tailored to help you master various aspects of the Splunk Data Platform and enhance your skills.
  • Splunk Training & Certifications: A fantastic place to connect with like-minded individuals and access top-notch educational content.
  • Community Blogs: Stay up-to-date with the latest news, insights, and updates from the Splunk community.
  • User Groups: Join meetups and connect with other Splunk practitioners in your area.
  • Splunk Community Programs: Get involved in exclusive programs like SplunkTrust and Super Users where you can earn recognition and contribute to the community.

And don’t forget, you can connect with Splunk users and experts in real-time by joining the Slack channel.

Dive into these resources today and make the most of your Splunk journey!

Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...