Splunk® Phantom (Legacy)

Develop Apps for Splunk Phantom

This documentation does not apply to the most recent version of Splunk® Phantom (Legacy). For documentation on the most recent version, go to the latest release.

Frequently asked questions

How do I handle python module dependencies for my app?

There is more than one way to manage dependencies on python modules. Do note that when an action is executed, the platform will add the following directories to the PYTHONPATH environment:

  • /opt/phantom/lib
  • /opt/phantom/www
  • /opt/phantom/apps/[app_install_directory]
  • /opt/phantom/apps/[app_install_directory]/dependencies

Use one of the following ways to manage dependencies

Package with the App

Place all required modules as part of the app tarball. There are two ways to do this:

  • Install the modules into a sub directory of the app. pip2.7 supports the --target command line switch that allows the modules to be installed at a specific location. Use this switch to install the modules into the app's subdirectory called dependencies. When the app tarball is installed on the platform the modules will be part of the app code.
  • Distribute the complete module, including the source, license file etc. in a sub directory of the app. In this case the app will need to append any folders in the PYTHONPATH it self.

The platform will install all the files present in the app tarball in the app install directory. Care should be taken while packaging modules this way. Many python modules are released under various licenses, so please make sure the license allows for such re-distribution. Packaging modules this way, makes the app self-sufficient.

Add PIP dependencies in the app JSON

One can specify app dependencies in the app json, that the platform will try to install with the app. See Specifying pip dependencies for more information.


How do I generate a test json?

The best way to generate test json that one can use for debugging with pudb, is to base it off of an actual action run log. The idea is to first code enough about the action like name, parameters etc. so that the action can be executed from the UI, once that is in place:

  1. Configure the DEBUG LOGGING in System Settings to WARNING for all the daemons. This limits the amount of content logged so that it is easier to spot the specific log of interest.
  2. Run the action from the UI, for example run test connectivity.
  3. Open the /var/log/phantom/spawn.log file as the root user.
  4. Search for the string 'READ MESSAGE.*test connectivity.*app_config and go to the last (latest) occurrence of the matched line. For example: 
    2879 May 13 02:01:44 localhost SPAWN[17613]: IPC_MESSAGES: READ MESSAGE: {"action":"test connectivity","app_config":{"interval_days":"5"},"asset_id":"20","config":{"api_key":"XXXX","api_url":"https://api.isightpartners.com/","app_version":"1.2.19","appname":"-","directory":"isightpartners_79af9fc7-da99-4107-a8fe-fdb887391cdc","download_report":true,"i ngest":{"container_label":"campaign","interval_mins":"30","poll":false,"start_time_epoch_utc":null},"main_module":"isightpartners_connector.pyc","secret":"YYY","verify_server_cert":true},"connector_name":"iSight Partners","connector_run_id":0,"container_id":"0","debug_level":3,"dec_key":"20","identifier":"test_asset_connectivity","ipc_version":1 ,"parameters":[],"phantom_version":"1.2.246","session_id":"a2d5fad2-30bc-4fa2-9106-dfaf4cf039a3","type":"response"}
  5. Copy this line and paste it in a new file. Remove all the text up until the first occurrence of the opening bracket character, so that it looks like the following (only the JSON is left): 
    {"action":"test connectivity","app_config":{"interval_days":"5"},"asset_id":"20","config":{"api_key":"XXXX","api_url":"https://api.isightpartners.com/","app_version":"1.2.19","appname":"-","directory":"isightpartners_79af9fc7-da99-4107-a8fe-fdb887391cdc","download_report":true,"i ngest":{"container_label":"campaign","interval_mins":"30","poll":false,"start_time_epoch_utc":null},"main_module":"isightpartners_connector.pyc","secret":"YYY","verify_server_cert":true},"connector_name":"iSight Partners","connector_run_id":0,"container_id":"0","debug_level":3,"dec_key":"20","identifier":"test_asset_connectivity","ipc_version":1 ,"parameters":[],"phantom_version":"1.2.246","session_id":"a2d5fad2-30bc-4fa2-9106-dfaf4cf039a3","type":"response"}
  6. If you are using vim run the following command after opening the file in vim: 
    :%!phenv python2.7 -m json.tool
    This command reformats the JSON into a more readable format.

You can use this file as the input test JSON.

Last modified on 25 February, 2020
Tutorial: Use the app wizard to develop an app framework   Table Template

This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters