Chronicle SOAR - unexpected behaviours in playbook views

@rupinderv is that something you could comment?

Some comments on best practise tips for using Context keys

The key is indexed so please be proportionate in your usage.  e.g. do not store UUID or SHA256 as the key as this can impact system performance if you store millions. In your case it looks ok, but I thought to offer future advice. 

If it works on one system, it should work on others.  I suggest build a mini test playbook that does SetContext, GetContext, and a widget. If it works, export it and import, that should show it works

Hi all,

I have a Block 

in the blcok i have first action 

i want to fetch count of udm events in this case it is 4 right

i set context value of key count of events  as value [GoogleChronicle_Execute UDM Query_1.JsonResult| "events" | count()]

i tried to debugged using get context value /add comment it displays this placeholder instead of actual value  [GoogleChronicle_Execute UDM Query_1.JsonResult| "events" | count()] 

it should be 4 

i tested again it works in playbooks but not in blocks , i even checked the version of instances its same 

The Block runs it's own scope, i.e. it does not have access to the data in the parent playbook that calls it.

You can pass the JSON as an input to the Block and count in there
Or you can count in the playbook, and pass the result (4) into the Block as an input variable

@SoarAndy if count of event is 0 its returns this [GoogleChronicle_Execute UDM Query_1.JsonResult| "events" | count()]  

Actually its should return 0, this is effecting my playbooks and views

how to add condition check to set the count to 0

Hi @SoarAndy @Vik_S ,

this is not resolved ,  even if count of event is >0 its returns this [GoogleChronicle_Execute UDM Query_1.JsonResult| "events" | count()]  

Actually its should return count of events

i have raised a ticket from client side.

I checked the code. 
Actions *should* output a JSON object, if no events were detected the output should be {} or [] depending. In this case a mistake means that "add_restuls_json" is not called.  This has been logged as a bug to the teams.

Until this is fixed I suggest a double condition

Condition 1 - if [ChronicleIUDM.JsonResult] starts with [Ch

This will validate if the placeholder remains as a string. If yes, then no events were detected. If no perform another condition

Condition 2 - if count() > 0

this condition, the one you want, is only tested AFTER we check if a JSON was present
HTH

Andy

Thank you for reply.. By when issue/bug will be solved? 

Given there is a workaround (above) I don't it is currently prioritised, so I would use the above workaround for now

HI @SoarAndy , i have found why this issue is happening... ill try to recreate the issue and confirm you ..

Hi @SoarAndy @Vik_S , Thank you ...

The mistake was naming the action .. if we use () in the action name it doesn't  work.

How is this not a priority? If an action is completed success ( with or without output) the placeholder needs to return something. If you have multiple actions in parallel are you expected to a have a if else for each single one even if they are going back to one single block? That sounds incredibly bloated inside a playbook and would require a large re-write when the bug is fixed. I am new to the system so would love some insight into this.  

Hi Jason,

This is not a platform issue, and the majority of Actions correctly output an empty json, however unfortunately in the thousands of Actions we have a few do have this behaviour and only those would need the workaround. 
If you find another please let me know ASAP and I will log to the marketplace team. Even the requested change isn't highly prioritised (I don't know the calculation system) it might get pulled in if any other works are planned on an integration so it's always worth logging as soon as possible. 
HTH?
Andy