Splunk® Phantom

Use Splunk Phantom

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Phantom. Click here for the latest version.
Acrobat logo Download topic as PDF

Run an action in

Analysts can use the /action command to quickly run one of the actions supports.

Actions run with /action are the same actions that are found in the Run Action dialog box, but the names of the actions are formatted with underscores ( _ ) instead of spaces. For example, the action geolocate ip becomes geolocate_ip.

The Run Action dialog box guides you through selecting the information an action requires. Using the command line interface requires you to provide the same information as arguments to the /action command.

When you type /action in the comment field of the activity sidebar, a tooltip-style dialog appears to guide you through adding arguments, or you can use the --help argument to get a message with help information as shown here:

/action geolocate_ip "MaxMind" --help

PhBot returns the following help message:

usage: /action geolocate_ip [app] <required arguments> [--asset asset...]
[--optional arguments]

Queries MaxMind for IP location info

required arguments:
ip IP to geolocate

The command-line interpreter validates arguments with the /action command. Incorrect arguments generate an error message to help you fix the arguments as shown in the following example:

/action whois_domain "WHOIS" splunk.com

The following error message is returned for the example:

/action whois_ip "WHOIS" a.b.not_an_ip

Use a list with the /action command

You can perform actions on lists of items by passing the list as an argument as shown in the following example:

/action geolocate_ip "MaxMind" ["1.1.1.1", "2.2.2.2"]

Lists must be presented in valid Python syntax, so individual items must be in quotation marks ( " ).

Passing the /action command multiple lists or datapaths, or a mix of lists and datapaths, results in a product. For example, [1, 2] [3, 4] results in four action runs: (1, 3), (1, 4), (2, 3), and (2, 4).

Last modified on 07 September, 2021
PREVIOUS
command-line interface overview
  NEXT
Run a playbook in

This documentation applies to the following versions of Splunk® Phantom: 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters