Frequently asked questions
Select one of the following frequently asked questions:
How do I handle Python module dependencies for my app?
You can manage dependencies on Python modules by packaging the required modules with the app, or by adding PIP dependencies in the app JSON.
When an action is executed, the platform adds the following directories to the PYTHONPATH
environment:
- /opt/phantom/lib
- /opt/phantom/www
- /opt/phantom/apps/[app_install_directory]
- /opt/phantom/apps/[app_install_directory]/dependencies
Package required modules with the app
Place all required modules as part of the app TAR file. You can do this in the following ways:
- Install the modules into a sub directory of the app. PIP supports the
--target
command line switch that allows the modules to be installed at a specific location. Use this switch to install the modules into the app's subdirectory calleddependencies
. When the app TAR file is installed on the platform the modules will be part of the app code. - Distribute the complete module, including the source and license file, in a sub directory of the app. In this case the app will need to append any folders in the
PYTHONPATH
it self.
The platform will install all the files present in the app TAR file in the app install directory. Be careful while packaging modules this way. Many Python modules are released under various licenses. Make sure the license allows for such redistribution. Packaging modules this way makes the app self-sufficient.
Add PIP dependencies in the app JSON
Specify app dependencies in the app JSON so that the platform tries to install the dependencies with the app. See Specifying pip dependencies for more information.
How do I generate test JSON for debugging?
To generate test JSON to use for debugging with pudb, leverage an actual action run log. The idea is to first code enough about the action such as name, parameters, and so on so that the action can be executed from the UI. See the following steps for more information:
- Configure the debug logging to WARNING for all the daemons. This limits the amount of content logged so that it is easier to spot the specific log of interest. See Configure the logging level for each Splunk Phantom daemon in Administer Splunk Phantom for instructions.
- Run the action from the Splunk Phantom web interface. For example, you can test the connectivity of an asset.
- Open the
/var/log/phantom/spawn.log
file as theroot
user. - Search for the string
'READ MESSAGE.*test connectivity.*app_config
and go to the last occurrence of the matched line. For example:2879 May 13 02:01:44 localhost SPAWN[17613]: IPC_MESSAGES: READ MESSAGE: {"action":"test connectivity","app_config":{"interval_days":"5"},"asset_id":"20","config":{"api_key":"XXXX","api_url":"https://api.isightpartners.com/","app_version":"1.2.19","appname":"-","directory":"isightpartners_79af9fc7-da99-4107-a8fe-fdb887391cdc","download_report":true,"i ngest":{"container_label":"campaign","interval_mins":"30","poll":false,"start_time_epoch_utc":null},"main_module":"isightpartners_connector.pyc","secret":"YYY","verify_server_cert":true},"connector_name":"iSight Partners","connector_run_id":0,"container_id":"0","debug_level":3,"dec_key":"20","identifier":"test_asset_connectivity","ipc_version":1 ,"parameters":[],"phantom_version":"1.2.246","session_id":"a2d5fad2-30bc-4fa2-9106-dfaf4cf039a3","type":"response"}
- Copy this line and paste it in a new file. Remove all the text up until the first occurrence of the opening bracket character, so that it looks like the following, where only the JSON remains:
{"action":"test connectivity","app_config":{"interval_days":"5"},"asset_id":"20","config":{"api_key":"XXXX","api_url":"https://api.isightpartners.com/","app_version":"1.2.19","appname":"-","directory":"isightpartners_79af9fc7-da99-4107-a8fe-fdb887391cdc","download_report":true,"i ngest":{"container_label":"campaign","interval_mins":"30","poll":false,"start_time_epoch_utc":null},"main_module":"isightpartners_connector.pyc","secret":"YYY","verify_server_cert":true},"connector_name":"iSight Partners","connector_run_id":0,"container_id":"0","debug_level":3,"dec_key":"20","identifier":"test_asset_connectivity","ipc_version":1 ,"parameters":[],"phantom_version":"1.2.246","session_id":"a2d5fad2-30bc-4fa2-9106-dfaf4cf039a3","type":"response"}
- If you are using the vim editor, run the following command after opening the file in vim:
:%!phenv python -m json.tool
You can use this file as the input test JSON.
Tutorial: Use the app wizard to develop an app framework | Table Template |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!