Splunk® Phantom

Use Splunk Phantom

Download manual as PDF

Download topic as PDF

Run an action in Splunk Phantom

Analysts can use the /action command to quickly run one of the actions Splunk Phantom supports.

Actions run with /action are the same actions that are found in the Run Action dialog box, but the names of the actions are formatted with underscores ( _ ) instead of spaces. For example, the action geolocate ip becomes geolocate_ip.

The Run Action dialog box guides you through selecting the information an action requires. Using the command line interface requires you to provide the same information as arguments to the /action command.

When you type /action in the comment field of the activity sidebar, a tooltip-style dialog appears to guide you through adding arguments, or you can use the --help argument to get a message with help information as shown here:

/action geolocate_ip "MaxMind" --help

PhBot returns the following help message:

usage: /action geolocate_ip [app] <required arguments> [--asset asset...]
[--optional arguments]

Queries MaxMind for IP location info

required arguments:
ip IP to geolocate

The command-line interpreter validates arguments with the /action command. Incorrect arguments generate an error message to help you fix the arguments as shown in the following example:

/action whois_domain "WHOIS" splunk.com

The following error message is returned for the example:

/action whois_ip "WHOIS" a.b.not_an_ip

Use a list with the /action command

You can perform actions on lists of items by passing the list as an argument as shown in the following example:

/action geolocate_ip "MaxMind" ["", ""]

Lists must be presented in valid Python syntax, so individual items must be in quotation marks ( " ).

Passing the /action command multiple lists or datapaths, or a mix of lists and datapaths, results in a product. For example, [1, 2] [3, 4] results in four action runs: (1, 3), (1, 4), (2, 3), and (2, 4).

Last modified on 21 January, 2020
Splunk Phantom command-line interface overview
Run a playbook in Splunk Phantom

This documentation applies to the following versions of Splunk® Phantom: 4.8, 4.9

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters