IBM Security QRadar SOAR

 View Only
  • 1.  Splunk Timeout Error

    Posted Wed July 27, 2022 12:19 PM
    Hi,

    We were testing the playbook and are facing the following error when calling the Splunk Search function (using Splunk Integration for SOAR v1.1.1 app): 

    The playbook was terminated by the system due to a function error.
    'Query [1658928363.475617] timed out. Final Status was [QUEUED]'
    Traceback (most recent call last):
      File "/opt/app-root/lib64/python3.9/site-packages/fn_splunk_integration/components/splunk_search.py", line 75, in _splunk_search_function
        splunk_result = splunk_client.execute_query(query_string)
      File "/opt/app-root/lib64/python3.9/site-packages/fn_splunk_integration/util/splunk_utils.py", line 114, in execute_query
        raise IntegrationError("Query [{}] timed out. Final Status was [{}]".format(splunk_job.name, splunk_job["dispatchState"]))
    resilient_lib.components.integration_errors.IntegrationError: 'Query [1658928363.475617] timed out. Final Status was [QUEUED]'
     
    Starting 'splunk_search' that was running in workflow '8794'

    Note that this error occurs when we turn on Splunk alerts (that generate multiple Resilient incidents). When testing the playbook by manually creating a single incident, this error does not appear. Any ideas how to resolve this issue?


    ------------------------------
    Mark Aksen
    ------------------------------


  • 2.  RE: Splunk Timeout Error

    Posted Fri July 29, 2022 11:52 AM
    Hi Mark,

    I believe this is a defect we can resolve to give you more control over the timeout of searches. I've queued that work up so we can try to get a fix to you in the near term.

    Regards,
    Mark

    ------------------------------
    Mark Scherfling
    ------------------------------