Splunk® Phantom (Legacy)

Develop Apps for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Use data paths to present data to the Splunk Phantom web interface

Data paths are a way for each command to pass down information about the data that needs to be presented to the UI layer. Data paths have the following supported starting locations:

Location Description
action_result.data Used to access the data added to a CommandResult.
action_result.message Used to access the message added to a CommandResult.
action_result.parameter Used to access the parameters passed to a command.
action_result.status Used to access the status from a CommandResult.
action_result.summary Used to access the summary information added to the CommandResult.
artifact Used to access artifacts in a container when authoring playbooks.
summary Used to access the summary of the entire connector operation.

Each starting point is a collection. The action_result.data collection is always an array. Each element of this array is an object of arbitrary complexity added by the connector. Whoever creates the data path must understand the data structure used by the connector. Both the action_result.summary and action_result.summary starting points reference a dictionary. While a connector writer can potentially add complex data structures to the summary, the intended purpose of these areas are for simple summary data and the view writer will typically not have to go more than one level into the summary areas.

The path separator is the . character. The path may be constructed out of the following data types:

Data type Description
Non-numeric text characters If the path segment is a non-numeric value, then the container must be a dictionary and the path segment is assumed to be a key in the dictionary.
Numeric characters If the path is strictly numeric, then the container is expected to be an array and the path segment accesses the 0-based index into the array. While it is possible that a dictionary with a numeric key can work, it is discouraged and is not guaranteed.
An empty string An empty path segment accesses all items in the container. Either all elements in the array or all values in a dictionary. Typically this is used to construct a view over multiple entries in the action_result.data. Since the action_result.data is an array and widgets expect to show multiple results, this allows the widget to access all the individual results.

Consider the data path action_result.data.*.information.0.leaf. The following data structure is added to each CommandResult:

{
  "information": [
    {
      "leaf": "important information is here!",
      "other_data": ...
    },
    {
       "other data": ...
    }
  ]
  "other data": ...
}

This path is accessing the action_result.data. For every command result it is accessing the information key. The information key is an array and the path is explicitly only accessing the 0th element of the array. Inside the array are dictionaries in which you find a key called leaf which contains the data the widget renders.

Specifying an invalid path attempting to index into an array will cause an exception and the widget will not render.

Only data for fully matching paths will be returned. Since a connector may not guarantee that data is always there, this will not generate an error. For example if the path asks for A.B.C but only some instances of A contain B and only some instances of B contain C, the result skips the missing B and C entries.

In virtually all cases, widgets expect the data from a data path to result in strings or numbers. If your path does not evaluate to one of these types, the Splunk Phantom web interface will not show anything.

Do not use spaces in your key names.

Last modified on 12 August, 2020
App authoring API   Use custom views to render results in your app

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters