https://community.splunk.com/t5/Splunk-SOAR/How-to-update-an-artifact-field/m-p/619917#M1010 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222170">@phanTom</a>&nbsp;</P><P>Good to know. When I was trying to do that before, that was back in 4.6.X something. It's been awhile.&nbsp;</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249062">@scorsatto</a>&nbsp;Listen to him! He's got the evidence.&nbsp;</P> Mon, 07 Nov 2022 15:41:31 GMT Dave_Burns 2022-11-07T15:41:31Z https://community.splunk.com/t5/Splunk-SOAR/How-to-update-an-artifact-field/m-p/619197#M1001 <P>is there an option to update the value of a specific field within a specific artifact? I was able to update using phantom update_artifact action or with a REST call, but when the field is updated it also delete the other existent fields in that artifact.</P> Wed, 02 Nov 2022 02:39:47 GMT https://community.splunk.com/t5/Splunk-SOAR/How-to-update-an-artifact-field/m-p/619197#M1001 scorsatto 2022-11-02T02:39:47Z https://community.splunk.com/t5/Splunk-SOAR/How-to-update-an-artifact-field/m-p/619904#M1008 <P>The interfaces only seem to update the entire artifact.&nbsp;</P><P>You could create a custom function where you provide the artifact id, field to change, and new value.&nbsp;</P><P>It fetches the entire artifact first, change the field value, and then "re-save" that artifact.&nbsp;</P><P><SPAN>That way you have something modular if you need to do it again in the future.&nbsp;</SPAN></P> Mon, 07 Nov 2022 15:23:41 GMT https://community.splunk.com/t5/Splunk-SOAR/How-to-update-an-artifact-field/m-p/619904#M1008 Dave_Burns 2022-11-07T15:23:41Z https://community.splunk.com/t5/Splunk-SOAR/How-to-update-an-artifact-field/m-p/619915#M1009 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249062">@scorsatto</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244875">@Dave_Burns</a>&nbsp;I am not sure what version you may be on but the update_artifact action on the Phantom Phantom app does update and doesn't overwrite, unless you tick the box.&nbsp;</P><P>I simply put the JSON of the field I wanted to update in the 'cef_json' field and it updated and didn't overwrite.&nbsp;<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="phanTom_2-1667835459241.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/22374i249CDC3CAECCCD06/image-size/medium?v=v2&amp;px=400" role="button" title="phanTom_2-1667835459241.png" alt="phanTom_2-1667835459241.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="phanTom_0-1667835437156.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/22372iEDDD4725C60BC32D/image-size/medium?v=v2&amp;px=400" role="button" title="phanTom_0-1667835437156.png" alt="phanTom_0-1667835437156.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="phanTom_1-1667835447182.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/22373iDC5D4D75666DE934/image-size/medium?v=v2&amp;px=400" role="button" title="phanTom_1-1667835447182.png" alt="phanTom_1-1667835447182.png" /></span></P><P>Bear in mind if you are trying to add the same CEF field to an existing artifact, it won't work as you would need a new artifact. If you use update artifact to ADD the same field with a different value, then it will overwrite due to the above.&nbsp;</P> Mon, 07 Nov 2022 15:40:28 GMT https://community.splunk.com/t5/Splunk-SOAR/How-to-update-an-artifact-field/m-p/619915#M1009 phanTom 2022-11-07T15:40:28Z https://community.splunk.com/t5/Splunk-SOAR/How-to-update-an-artifact-field/m-p/619917#M1010 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222170">@phanTom</a>&nbsp;</P><P>Good to know. When I was trying to do that before, that was back in 4.6.X something. It's been awhile.&nbsp;</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249062">@scorsatto</a>&nbsp;Listen to him! He's got the evidence.&nbsp;</P> Mon, 07 Nov 2022 15:41:31 GMT https://community.splunk.com/t5/Splunk-SOAR/How-to-update-an-artifact-field/m-p/619917#M1010 Dave_Burns 2022-11-07T15:41:31Z https://community.splunk.com/t5/Splunk-SOAR/How-to-update-an-artifact-field/m-p/619927#M1011 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/244875">@Dave_Burns</a>&nbsp;and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222170">@phanTom</a>. that exact what I did, I've created a new CF that get all the data from the artifact first, after that changes the fields I want and then I can use this CF payload result in the update artifact action. it seems the interface always replace the whole artifact data with whatever you post, this is not very clear on the documentation of the app</P> Mon, 07 Nov 2022 16:10:35 GMT https://community.splunk.com/t5/Splunk-SOAR/How-to-update-an-artifact-field/m-p/619927#M1011 scorsatto 2022-11-07T16:10:35Z https://community.splunk.com/t5/Splunk-SOAR/How-to-update-an-artifact-field/m-p/632218#M1140 <P>Hi, saw the answers and they are very close to what I also need but I would additionally want to place new key:value pair under the already existing key.<BR /><BR />E.g. Add new key "test" under existing "test_header"</P><P>"cef": {<BR />"test_header": {<BR />&nbsp; &nbsp; &nbsp; "test": "value"</P><P>&nbsp;</P> Fri, 24 Feb 2023 15:16:57 GMT https://community.splunk.com/t5/Splunk-SOAR/How-to-update-an-artifact-field/m-p/632218#M1140 licroBI_0x1 2023-02-24T15:16:57Z