For details, see:
Use a datapath in Splunk SOAR (On-premises)
You can use a datapath as an argument with a slash command. This makes slash commands flexible and powerful. Use the /inspect
command to get the datapath to use with other slash commands.
Datapaths
A datapath is a series of names, keywords, attributes, and wildcards that evaluates to a list of values. These values can be attributes of artifacts or action results.
A datapath is described using this format:
<type>:<path.to.value_name>
Example of a datapath for an artifact attribute:
artifact:*.ip
Artifacts are indexed by their common event format (CEF) data so only CEF data is available to use in datapaths. You cannot access other fields such as label
or description
.
Example of a datapath for action results:
action_result:data.*.longitude
For more information on datapaths, see collect in the Python Playbook API Reference for Splunk SOAR (On-premises).
Use the /inspect command
Use the /inspect
command to examine artifacts and to look for datapaths you want to use with another slash command.
See the following example:
Examine an artifact to see if it has IP addresses in its CEF data.
/inspect artifact:*
The above example returns the following:
{u'ip': u'2.2.2.2'} {u'ip': u'1.1.1.1'}
Because there is IP information in the artifact, you can access that information in another command with a datapath.
/action whois_ip "WHOIS" artifact:*.ips.*
See the following example:
Examine an action_run
.
/inspect action_run:1
JSON formatted action run information.
See the following example:
Get a list of all app_runs
.
/inspect app_run:*.id
Returns:
4 7 6 5 8
You can use these app_run
IDs with other commands or REST API calls.
Update or edit an event in Splunk SOAR (On-premises) |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1, 6.4.0
Feedback submitted, thanks!