Splunk SOAR
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sending User Defined Variables to Action Block

ma620k
Engager
‎05-19-2025 09:08 AM

I am new to Splunk SOAR and I have a custom python code block that I am creating and exporting a variable to a Splunk action block.

The variable in the custom code block is set fine and with debug statements I can see it set correctly.  I then export that variable.

In the splunk action block , I import that variable but when I try to use it the value is set to "None".  When I import soar system variables, it works fine.

 

There are no error messages.  SOAR has the auto fill for the variables so not like I have a typo.

 

Screen shot below {0} is my customer code variable that gets set to none.

{1} is from the extract ip utility and that is set fine.

ma620k_0-1747670666264.png

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marnall
Motivator
‎06-01-2025 06:55 AM

Ah there's your problem. You assign the variable "extracted_ip_1" which then works fine within the function, but in the following phantom.save_run_data function call, it does not actually dump the value of the "extracted_ip_1" variable into the output, but rather the "code_3__extracted_ip_1" variable, which is previously set to None.

You should change the phantom.save_run_data command to use the correct variable name in the value parameter:

phantom.save_run_data(key="code_3:extracted_ip_1", value=json.dumps(extracted_ip_1))

Or, if you want to constrain all custom code between the "custom code" comment blocks, you can change the variable name:

code_3__extracted_ip_1 = regex_extract_ipv4_3_data_extracted_ipv4[0]

 

Also you mentioned your data path on the input to the following block is "code_3:customer_function:extraced_ip_1", which has "customer_function" but it should have "custom_function". Not sure if this is just a typo in your post but if it exists also in your SOAR instance then it can also cause problems.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PrewinThomas
Builder
‎05-28-2025 09:20 PM

@ma620k 
Did you defined as an output variable in the custom code block’s configuration?

Your variable likely not being exported due to this.

Reference - https://docs.splunk.com/Documentation/SOARonprem/6.3.1/Playbook/CustomFunction


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos. Thanks!

0 Karma
Reply
Solved! Jump to solution

marnall
Motivator
‎05-28-2025 07:32 AM

It seems that you are not using {0} in your query input.

Also can you post the sanitized code for the code block and the full entry for the data path of the 0 input?

0 Karma
Reply
Solved! Jump to solution

ma620k
Engager
‎05-30-2025 11:06 AM

Thank you for the responses.  I copy/pasted some of the SOAR info below and as for the questions:

 

  • I did define the output variable in the custom code block config
  • I am not using {0} in the sample block because it kept giving an error .  I was using {1} because that was grabbing the IP through a utility and that was working for me.
  • The variable from the custom code block (extracted_ip_1) worked fine within the code block but was not set outside of it.
  • code_3:customer_function:extraced_ip_1

 

ma620k_0-1748628300202.png

def code_3(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, loop_state_json=None, **kwargs):

    phantom.debug("code_3() called")

    regex_extract_ipv4_3__result = phantom.collect2(container=container, datapath=["regex_extract_ipv4_3:custom_function_result.data.extracted_ipv4","regex_extract_ipv4_3:custom_function_result.data.input_value"])

    container_artifact_data = phantom.collect2(container=container, datapath=["artifact:*.cef.cs1","artifact:*.cef.cs1Label"])

    regex_extract_ipv4_3_data_extracted_ipv4 = [item[0] for item in regex_extract_ipv4_3__result]

    regex_extract_ipv4_3_data_input_value = [item[1] for item in regex_extract_ipv4_3__result]

    container_artifact_cef_item_0 = [item[0] for item in container_artifact_data]

    container_artifact_cef_item_1 = [item[1] for item in container_artifact_data]

    input_parameter_0 = ""

    code_3__extracted_ip_1 = None

    ################################################################################

    ## Custom Code Start

    ################################################################################

   # Write your custom code here...

    extracted_ip_1 = regex_extract_ipv4_3_data_extracted_ipv4[0]

   ################################################################################

    ## Custom Code End

    ################################################################################

 

    phantom.save_run_data(key="code_3:extracted_ip_1", value=json.dumps(code_3__extracted_ip_1))

 

    run_query_4(container=container)

 

    return

0 Karma
Reply
Solved! Jump to solution
Solution

marnall
Motivator
‎06-01-2025 06:55 AM

Ah there's your problem. You assign the variable "extracted_ip_1" which then works fine within the function, but in the following phantom.save_run_data function call, it does not actually dump the value of the "extracted_ip_1" variable into the output, but rather the "code_3__extracted_ip_1" variable, which is previously set to None.

You should change the phantom.save_run_data command to use the correct variable name in the value parameter:

phantom.save_run_data(key="code_3:extracted_ip_1", value=json.dumps(extracted_ip_1))

Or, if you want to constrain all custom code between the "custom code" comment blocks, you can change the variable name:

code_3__extracted_ip_1 = regex_extract_ipv4_3_data_extracted_ipv4[0]

 

Also you mentioned your data path on the input to the following block is "code_3:customer_function:extraced_ip_1", which has "customer_function" but it should have "custom_function". Not sure if this is just a typo in your post but if it exists also in your SOAR instance then it can also cause problems.

0 Karma
Reply
Solved! Jump to solution

ma620k
Engager
‎06-03-2025 05:07 AM

Ah that all makes sense.  Thanks so much for the help.   Can't wait to try it.

 

Yep, that did the trick.  Thank you so much!  And yeah "customer" was just a typo on my part.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Extending Splunk AI Assistant for SPL to Splunk Enterprise customers!

Howdy Splunk Community!It’s an exciting day here at Splunk – Splunk AI Assistant for SPL version 1.3.0 is now ...

Developer Spotlight with Qmulos

Qmulos: Building a Next-Level Cybersecurity Business through Splunk Apps Qmulos started as a scrappy startup ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...