Tutorial: Specify assets in Splunk Phantom
This tutorial demonstrates how to run more complex actions within a playbook. In this example, you want to run actions on a specific asset. You can either specify the asset by its ID, or specify a tag to include all assets associated with that tag.
Specify assets by ID
To execute actions on specific assets, pass a list of asset IDs to the act()
call.
import phantom.rules as phantom import json def list_vms_cb(action, success, container, results, handle): if not success: return return def on_start(incident): phantom.act('list vms', assets=["vmwarevsphere"], callback=list_vms_cb) return
The function generates the following result when run in the playbook debugger:
2015-03-14T21:12:41.365000: Processing incident: '4' [2a76c74c-5713-11e4-8a26-9b99986c1e2a] 2015-03-14T21:12:41.369000: act(): Action 'list vms' shall be executed on assets: vmwarevsphere 2015-03-14T21:12:41.370000: act(): action details: [list vms] parameters: [[]] assets: [vmwarevsphere] callback function: [list_vms_cb] and NO user specified for reviewing params 2015-03-14T21:12:41.385000: act(): No action parameter review or asset approval requests generated. 2015-03-14T21:12:41.387000: Starting action 'list vms' on asset '28f81303-5982-451b-a833-1acdd191a763' 2015-03-14T21:12:41.410000: running: The connector 'vSphere App' started successfully. Execution parameters sent. 2015-03-14T21:12:42.130000: running: Loaded action execution configuration 2015-03-14T21:12:42.135000: running: Connecting to 10.10.0.40... 2015-03-14T21:13:08.769000: success: 1 of 1 action succeeded 2015-03-14T21:13:08.879000: Command 'list vms' success. 1 of 1 action succeeded 2015-03-14T21:13:08.882000: calling action callback function: list_vms_cb *** The Rule has completed. Result: success ***
Specify assets by tag
You can also pass a tag to the act()
function. The action runs on all assets with that tag.
import phantom.rules as phantom import json def list_vms_cb(action, success, container, results, handle): if not success: return return def on_start(incident): phantom.act('list vms', tags=["virtual"], callback=list_vms_cb) return
By using a tag, the list vms
action runs on all assets tagged as virtual
.
2015-03-14T21:21:52.723000: Processing incident: '4' [2a76c74c-5713-11e4-8a26-9b99986c1e2a] 2015-03-14T21:21:52.737000: act(): Warning: For action 'list vms' no assets were specified. The action shall execute on all matching assets 2015-03-14T21:21:52.760000: act(): Action 'list vms' shall be executed on assets: vmwarevsphere, vmwarevsphere2 2015-03-14T21:21:52.760000: act(): action details: [list vms] parameters: [[]] assets: [vmwarevsphere, vmwarevsphere2] callback function: [list_vms_cb] and NO user specified for reviewing params 2015-03-14T21:21:52.780000: act(): No action parameter review or asset approval requests generated. 2015-03-14T21:21:52.794000: Starting action 'list vms' on asset '28f81303-5982-451b-a833-1acdd191a763' 2015-03-14T21:21:52.828000: running: The connector 'vSphere App' started successfully. Execution parameters sent. 2015-03-14T21:21:52.833000: Starting action 'list vms' on asset '5a776fff-37d7-4a34-a299-21354dff8c45' 2015-03-14T21:21:52.863000: running: The connector 'vSphere App' started successfully. Execution parameters sent. 2015-03-14T21:21:54.883000: running: Loaded action execution configuration 2015-03-14T21:21:54.890000: running: Connecting to 10.10.0.40... 2015-03-14T21:21:54.906000: running: Loaded action execution configuration 2015-03-14T21:21:54.912000: running: Connecting to 10.10.0.70... 2015-03-14T21:22:04.967000: success: 1 of 1 action succeeded 2015-03-14T21:22:05.097000: Command 'list vms' success. 1 of 1 action succeeded 2015-03-14T21:22:20.325000: success: 1 of 1 action succeeded 2015-03-14T21:22:20.446000: Command 'list vms' success. 1 of 1 action succeeded 2015-03-14T21:22:20.451000: calling action callback function: list_vms_cb *** The Rule has completed. Result: success ***
Tutorial: Create a simple playbook in Splunk Phantom | Tutorial: Specify parameters in Splunk Phantom |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!