Use a datapath in
You can use a datapath as an argument with a slash command. This makes slash commands flexible and powerful. Use the /inspect
command to get the datapath to use with other slash commands.
Datapaths
A datapath is a series of names, keywords, attributes, and wildcards that evaluates to a list of values. These values can be attributes of artifacts or action results.
A datapath is described using this format:
<type>:<path.to.value_name>
Example of a datapath for an artifact attribute:
artifact:*.ip
Artifacts are indexed by their common event format (CEF) data so only CEF data is available to use in datapaths. You cannot access other fields such as label
or description
.
Example of a datapath for action results:
action_result:data.*.longitude
For more information on datapaths, see collect in the Python Playbook API Reference for .
Use the /inspect command
Use the /inspect
command to examine artifacts and to look for datapaths you want to use with another slash command.
See the following example:
Examine an artifact to see if it has IP addresses in its CEF data.
/inspect artifact:*
The above example returns the following:
{u'ip': u'2.2.2.2'} {u'ip': u'1.1.1.1'}
Because there is IP information in the artifact, you can access that information in another command with a datapath.
/action whois_ip "WHOIS" artifact:*.ips.*
See the following example:
Examine an action_run
.
/inspect action_run:1
JSON formatted action run information.
{ "comment": "", "node_guid": "d7c64d0f-fd0b-4d0b-8c68-34704ee91247", "playbook_run": null, "exec_order": null, "_pretty_owner": "admin", "creator": 1, "_pretty_undo": null, "assign_time": null, "create_time": "2019-12-12T00:32:20.600117Z", "playbook": null, "_pretty_playbook": "", "owner": 1, "message": "1 action succeeded", "action": "geolocate ip", "close_time": "2019-12-12T00:32:21.059521Z", "exec_delay_secs": 0, "container": 78, "_pretty_update_time": "17 minutes ago", "_pretty_has_app_runs": true, "id": 2, "targets": [ { "app_id": 118, "parameters": [ { "ip": "115.249.247.26" } ], "assets": [ 2 ] } ], "due_time": "2019-12-11T21:59:05.213705Z", "version": 1, "type": "investigate", "status": "success", "update_time": "2019-12-12T00:32:21.059521Z", "handle": null, "_pretty_close_time": "17 minutes ago", "_pretty_container": "ASN Transaction", "_pretty_creator": "admin", "ip_address": "10.26.96.21", "_pretty_due_time": "Yesterday at 09:59 PM", "name": "user initiated geolocate ip action", "_pretty_redo": true, "_pretty_create_time": "17 minutes ago", "cancelled": null, "cb_fn": null }
See the following example:
Get a list of all app_runs
.
/inspect app_run:*.id
Returns:
4 7 6 5 8
You can use these app_run
IDs with other commands or REST API calls.
Update or edit an event in |
This documentation applies to the following versions of Splunk® Phantom (Legacy): 4.8, 4.9, 4.10, 4.10.1, 4.10.2, 4.10.3, 4.10.4, 4.10.6, 4.10.7
Feedback submitted, thanks!