topic Re: Edit Splunk Search Output in Cortex XSOAR Discussions

Edit Splunk Search Output

Himangi — Tue, 10 Oct 2023 08:03:15 GMT

Hi,
I am running a query in splunk search automation, The output I am getting includes too many brackets. I want to edit the output and I want to further use that output in different task.

Can anyone please suggest how can I edit the splunk search output.

Re: Edit Splunk Search Output

gyldz — Wed, 11 Oct 2023 10:26:55 GMT

Hi @Himangi ,

You can use Transformers for that purpose. You can use !Set command to do desired changes on the output and set the results to the another key. If you share the output and desired format, I will try to help you.

Re: Edit Splunk Search Output

Himangi — Thu, 12 Oct 2023 10:38:29 GMT

Hi @gyldz

So I am using this query index=windows EventCode=4625 user=user1| stats values(Account_Domain) as Account_Domain values(name) as Reason dc(_time) as LoginFailedCount

and I am getting the result as
[{"Account_Domain":"Test","LoginFailedCount":"24","Reason":["An account failed to log on","User name is correct but the password is wrong"]}]

I want to edit this output by removing brackets. I want the result as below:

Account_Domain:Test

LoginFailedCount:24

Reason:An account failed to log on,User name is correct but the password is wrong

Re: Edit Splunk Search Output

gyldz — Fri, 13 Oct 2023 08:12:07 GMT

Hi,

You can use stripchars transformer as below. It will remove the double quotes and then XSOAR will parse it as a dictionary.

Re: Edit Splunk Search Output

Himangi — Mon, 16 Oct 2023 13:43:20 GMT

Hi @gyldz

Thankyou for replying.

I tried the above automation and I am getting error as failed to parse argument and that particular task is getting paused.

Re: Edit Splunk Search Output

gyldz — Wed, 18 Oct 2023 09:01:10 GMT

Hi @Himangi ,

can you also show Splunk.Result in context data?