This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error: DB Version '##' and Insert version '##' do not match for id: ##### on bucket [] [incidents] (15)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error: DB Version '##' and Insert version '##' do not match for id: ##### on bucket [] [incidents] (15)

Go to solution
DZerkle
L2 Linker

‎03-04-2021 07:08 PM

I have a trigger script automation that updates the linked incidents of an incident.  The update works, but then it produces the following error and refuses to update the field that triggered the automation.

 

DZerkle_0-1614912375236.png

 

 

The script works fine if I run it from the command line.  It's only when a triggered script runs that there's a problem.

 

Here's a sample that causes a problem.  If I comment this line out, the field updates just fine.

 

demisto.executeCommand("setIncident", {'id':child_case_id, "customFields":"{\"False Positive\":\"True\"}"})

 

 

Anyone know what's going on and to fix this?

0 Likes Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
DZerkle
L2 Linker
In response to DZerkle

‎03-05-2021 11:28 AM - edited ‎03-22-2021 09:28 AM

It looks like the checkbox is only there for version 6.1.

 

The workaround is to leave out the 'id':child_case_id  in the setIncident command and leave out the "incidentId":child_case_id  in the linkIncidents command.  This will default to using the current incident.

 

It may be that you have to use the ID, as is the case with the linkIncidents command.  In this case, triggered scripts need to use demisto.investigation()['id'] to get the incident ID.  They can't use demisto.incidents()[0]['id'].

View solution in original post

0 Likes Likes
19 REPLIES 19

Go to solution
ABurt
L3 Networker

‎03-05-2021 01:46 AM - edited ‎03-05-2021 02:02 AM

Hello,

 

I assume this a field-change-triggered script? What do you have selected for the ""Run triggered script after incident is modified"?

ABurt_0-1614937584774.png

 

You will not need to specify the "CustomFields" in the setIncident command either. You can use the system name for the field. In your case it would (most likely) be:

 

demisto.executeCommand("setIncident", {"id":child_case_id, "falsepositive":True})

 

 

Regards


Adam

Go to solution
DZerkle
L2 Linker
In response to ABurt

‎03-05-2021 07:40 AM

I don't even have that checkbox.  Where is it?  We're running 6.0.

DZerkle_0-1614958757707.png

 

0 Likes Likes

Go to solution
DZerkle
L2 Linker
In response to DZerkle

‎03-05-2021 11:28 AM - edited ‎03-22-2021 09:28 AM

It looks like the checkbox is only there for version 6.1.

 

The workaround is to leave out the 'id':child_case_id  in the setIncident command and leave out the "incidentId":child_case_id  in the linkIncidents command.  This will default to using the current incident.

 

It may be that you have to use the ID, as is the case with the linkIncidents command.  In this case, triggered scripts need to use demisto.investigation()['id'] to get the incident ID.  They can't use demisto.incidents()[0]['id'].

0 Likes Likes

Go to solution
DZerkle
L2 Linker
In response to DZerkle

‎03-05-2021 04:45 PM - edited ‎03-05-2021 04:54 PM

The solution above turns out to be only partial.  Leaving out the incidentId field for the linkIncidents command causes the command to do nothing.  Putting it back in re-generates the DB version errors.  Running the trigger script from the command line works perfectly.

 

So, I don't have a way to modify linked cases in a triggered script in 6.0.  Anyone know?

0 Likes Likes

Go to solution
ABurt
L3 Networker
In response to DZerkle

‎03-08-2021 12:58 AM

If you leave out the "id" field in the setIncident command, it will execute within the current incident (it assumes the current incident is the id).

 

Is the script executing from within an existing incident, or is the script attemping to update a different incident?

0 Likes Likes

Go to solution
DZerkle
L2 Linker
In response to ABurt

‎03-16-2021 06:03 PM

We just upgraded to 6.1, so I revisited this matter.  It's not much better.

 

The DB Version errors no longer appear.

 

If I leave "Run triggered script after case is modified" unchecked, the triggered script correctly updates other fields with the setIncident command.

 

If I check that box, the other fields do not update, even though the war room says that they're updated.

 

Whether I check that box or not, and no matter how it is called, the linkIncidents command does nothing when run from a triggered script.  It works as expected if run from a script launched by a button or the command line. 

 

Can you confirm the above?  The docs mention nothing about linking incidents from triggered scripts.

0 Likes Likes

Go to solution
ABurt
L3 Networker
In response to DZerkle

‎03-17-2021 03:03 AM

The automatoin script that you have created to link the incidents, can you confirm who it is running as? By default it's "limited user".

 

This may be affecting the outcome.

0 Likes Likes

Go to solution
DZerkle
L2 Linker
In response to ABurt

‎03-17-2021 09:22 AM

It was set to "limited user".  I tried setting it to "DBot".  No change in behavior resulted.

 

I have the exact same script triggered by a button and triggered by a field change.  It works fine when triggered by the button.

0 Likes Likes

Go to solution
ABurt
L3 Networker
In response to DZerkle

‎03-17-2021 09:46 AM

Can you post the contents of the script?

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks