Splunk® Phantom (Legacy)

Use Splunk Phantom

Splunk Phantom 4.10.7 is the final release of Splunk's Security Orchestration, Automation, and Response (SOAR) system to be called Splunk Phantom. All later versions are named Splunk SOAR (On-premises). For more information, see the Splunk SOAR (On-premises) documentation.

Use a datapath in

You can use a datapath as an argument with a slash command. This makes slash commands flexible and powerful. Use the /inspect command to get the datapath to use with other slash commands.


A datapath is a series of names, keywords, attributes, and wildcards that evaluates to a list of values. These values can be attributes of artifacts or action results.

A datapath is described using this format:


Example of a datapath for an artifact attribute:


Artifacts are indexed by their common event format (CEF) data so only CEF data is available to use in datapaths. You cannot access other fields such as label or description.

Example of a datapath for action results:


For more information on datapaths, see collect in the Python Playbook API Reference for .

Use the /inspect command

Use the /inspect command to examine artifacts and to look for datapaths you want to use with another slash command.

See the following example:

Examine an artifact to see if it has IP addresses in its CEF data.

/inspect artifact:*

The above example returns the following:

{u'ip': u''}
{u'ip': u''}

Because there is IP information in the artifact, you can access that information in another command with a datapath.

/action whois_ip "WHOIS" artifact:*.ips.*

See the following example:

Examine an action_run.

/inspect action_run:1

JSON formatted action run information.

    "comment": "",
    "node_guid": "d7c64d0f-fd0b-4d0b-8c68-34704ee91247",
    "playbook_run": null,
    "exec_order": null,
    "_pretty_owner": "admin",
    "creator": 1,
    "_pretty_undo": null,
    "assign_time": null,
    "create_time": "2019-12-12T00:32:20.600117Z",
    "playbook": null,
    "_pretty_playbook": "",
    "owner": 1,
    "message": "1 action succeeded",
    "action": "geolocate ip",
    "close_time": "2019-12-12T00:32:21.059521Z",
    "exec_delay_secs": 0,
    "container": 78,
    "_pretty_update_time": "17 minutes ago",
    "_pretty_has_app_runs": true,
    "id": 2,
    "targets": [
            "app_id": 118,
            "parameters": [
                    "ip": ""
            "assets": [
    "due_time": "2019-12-11T21:59:05.213705Z",
    "version": 1,
    "type": "investigate",
    "status": "success",
    "update_time": "2019-12-12T00:32:21.059521Z",
    "handle": null,
    "_pretty_close_time": "17 minutes ago",
    "_pretty_container": "ASN Transaction",
    "_pretty_creator": "admin",
    "ip_address": "",
    "_pretty_due_time": "Yesterday at 09:59 PM",
    "name": "user initiated geolocate ip action",
    "_pretty_redo": true,
    "_pretty_create_time": "17 minutes ago",
    "cancelled": null,
    "cb_fn": null

See the following example:

Get a list of all app_runs.

/inspect app_run:*.id







You can use these app_run IDs with other commands or REST API calls.

Last modified on 07 September, 2021
Update or edit an event in  

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters