https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/closing-duplicated-tickets-in-xsoar-amp-splunk-automatically/m-p/529152#M1743 <P>Hello,</P> <P>&nbsp;</P> <P>i am trying to close duplicated tickets on XSOAR and Splunk automatically using pre processing rules (for closing on XSOAR) and post processing rule (for closing on Splunk) which i wrote a script for</P> <P>However i cannot test the post processing scripts because the pre processing script closes the tickets and i cannot reopen them or access the ticket to run the script to test it before applying the post process rule.</P> <P>&nbsp;</P> <P>try:<BR />close_reason = str(demisto.args().get('closeReason'))<BR />closing_user = str(demisto.args().get('closingUserId'))<BR />if close_reason == "Duplicate" and closing_user == 'DBot':<BR />EVID = str(demisto.incident()['CustomFields']['splunkeventid'])<BR />user_auto = demisto.executeCommand("setIncident", {'owner' : 'admin'})<BR />demisto.executeCommand("splunk-notable-event-edit", {"eventIDs": EVID ,'owner': user_auto, "comment": "Auto closing this Duplicate Alarm" ,"status":"5" })<BR />else:<BR /><BR />EID = str(demisto.incident()['CustomFields']['splunkeventid'])<BR />nota = str(demisto.incident()['CustomFields']['closernote'])<BR />user = str(demisto.incident()['owner'])<BR />demisto.executeCommand("splunk-notable-event-edit", {"eventIDs": EID,'owner': user, "comment": nota ,"status":"5" })</P> <P>except:<BR />print("you are trying to close a manual ticket")</P> Mon, 30 Jan 2023 14:29:22 GMT abdulazizh 2023-01-30T14:29:22Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/closing-duplicated-tickets-in-xsoar-amp-splunk-automatically/m-p/529152#M1743 <P>Hello,</P> <P>&nbsp;</P> <P>i am trying to close duplicated tickets on XSOAR and Splunk automatically using pre processing rules (for closing on XSOAR) and post processing rule (for closing on Splunk) which i wrote a script for</P> <P>However i cannot test the post processing scripts because the pre processing script closes the tickets and i cannot reopen them or access the ticket to run the script to test it before applying the post process rule.</P> <P>&nbsp;</P> <P>try:<BR />close_reason = str(demisto.args().get('closeReason'))<BR />closing_user = str(demisto.args().get('closingUserId'))<BR />if close_reason == "Duplicate" and closing_user == 'DBot':<BR />EVID = str(demisto.incident()['CustomFields']['splunkeventid'])<BR />user_auto = demisto.executeCommand("setIncident", {'owner' : 'admin'})<BR />demisto.executeCommand("splunk-notable-event-edit", {"eventIDs": EVID ,'owner': user_auto, "comment": "Auto closing this Duplicate Alarm" ,"status":"5" })<BR />else:<BR /><BR />EID = str(demisto.incident()['CustomFields']['splunkeventid'])<BR />nota = str(demisto.incident()['CustomFields']['closernote'])<BR />user = str(demisto.incident()['owner'])<BR />demisto.executeCommand("splunk-notable-event-edit", {"eventIDs": EID,'owner': user, "comment": nota ,"status":"5" })</P> <P>except:<BR />print("you are trying to close a manual ticket")</P> Mon, 30 Jan 2023 14:29:22 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/closing-duplicated-tickets-in-xsoar-amp-splunk-automatically/m-p/529152#M1743 abdulazizh 2023-01-30T14:29:22Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/closing-duplicated-tickets-in-xsoar-amp-splunk-automatically/m-p/540196#M2049 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/226010">@abdulazizh</a>,</P> <P>&nbsp;</P> <P>If your script works as expected, post-processing should work as well. You cannot run any command on the closed incidents. If you want to test before implementing it, I would recommend having another pre-process rule for fake alerts and doing the testing on those ones by triggering some fake alerts on Splunk. I could not reproduce the issue due to the lack of Splunk integration, but Slack notification with incident details worked. So, you need to make sure the below command works as expected.</P> <P>&nbsp;</P> <P>demisto.executeCommand("splunk-notable-event-edit", {"eventIDs": EID,'owner': user, "comment": nota ,"status":"5" })</P> <P>&nbsp;</P> Wed, 26 Apr 2023 13:19:42 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/closing-duplicated-tickets-in-xsoar-amp-splunk-automatically/m-p/540196#M2049 gyldz 2023-04-26T13:19:42Z