Splunk® Phantom (Legacy)

REST API Reference for Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Bulk Create and Update Records

Records can be created and updated in bulk. The bulk create and bulk update operations behave differently than you might expect.

The bulk operations do not perform transactional edits. A transactional edit means that either all of the updates succeed or none succeed.

The result of a bulk API call can be that half of the operations succeed and half fail, but the return is an HTTP 200 success status code if at least one operation succeeds.

The bulk operations return a list of the response bodies that are generated, as if the client had called the create or update API many times.

Therefore, the following scenario is possible:

  1. You send a bulk update request to modify 100 records.
  2. All but one of the records fails.
  3. You get an HTTP 200 response.
  4. You don't check the individual statuses of each update operation.
  5. You think that all is well, but you don't realize that 99 records did not get updated.

One example of a bulk operation is creating bulk container notes.

Example request
The following example request is missing a required parameter in the JSON body for container Id 4.

curl -k -u admin:password https://127.0.0.1:8443/rest/note \
-d '[{
		"container_id": 1,
		"phase": 2,
		"author_id": 1,
		"title": "example1",
		"note_type": "general",
		"content": "hello world"
	},
	{
		"container_id": 2,
		"phase": 2,
		"author_id": 1,
		"title": "example2",
		"note_type": "general",
		"content": "hello world"
	},
	{
		"container_id": 3,
		"phase": 2,
		"author_id": 1,
		"title": "example3",
		"note_type": "general",
		"content": "hello world"
	},
	{
		"container_id": 4,
		"phase": 2,
		"author_id": 1,
		"title": "example4"
	}
]'

Example response
The body of the following example response shows the success messages for the Ids of the newly created notes, with the exception of one failure.

[{
	"id": 4,
	"success": true
}, {
	"id": 5,
	"success": true
}, {
	"id": 6,
	"success": true
}, {
	"failed": true,
	"message": "Missing required parameter: note_type"
}]

See /rest/note for further information about notes.

Verify the response body of any bulk operation to make sure that all records are created or updated.

Last modified on 28 April, 2020
Update Records   Delete Records

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters