Splunk Phantom

Unable to use foreach or dummy encoding in Phantom Splunk queries?

Motivator

Splunk app for Phantom supports running a query on Splunk.
I am trying to use foreach in my query, but the action fails with an error

| foreach x_* [ eval f_{<<FIELD>>}=if(isnotnull('<<FIELD>>'),1,null()) ]

The error I get is

Fri Nov 01 2019 17:15:01 GMT+1100 (Australian Eastern Daylight Time): phantom.format(): Unexpected error in format(): Traceback (most recent call last):
  File "../pylib/phantom/rules.py", line 1119, in format
  File "../pylib/phantom/rules.py", line 188, in encode_all_parameters
  File "../pylib/phantom/rules.py", line 1257, in expand_template_
KeyError: '<<FIELD>>'
Fri Nov 01 2019 17:15:01 GMT+1100 (Australian Eastern Daylight Time): '<<FIELD>>'

Any ideas how to get this through. I tried writing an expanded version of the foreach, i.e.

| eval f_{x_0}=if(isnotnull(x_0), 1, null())...

but that also failed with

Fri Nov 01 2019 17:19:23 GMT+1100 (Australian Eastern Daylight Time): phantom.format(): Unexpected error in format(): Traceback (most recent call last):
  File "../pylib/phantom/rules.py", line 1119, in format
  File "../pylib/phantom/rules.py", line 188, in encode_all_parameters
  File "../pylib/phantom/rules.py", line 1257, in expand_template_
KeyError: 'x_0'
Fri Nov 01 2019 17:19:23 GMT+1100 (Australian Eastern Daylight Time): 'x_0'
Labels (2)
Tags (2)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

Whenever you're using a Format Block within a playbook and the Template contains curly bracket characters "{" or "}" you will need to escape the characters by doubling the brackets "{{" or "}}"

This is due to how the template parameter variables are inserted - {0}, {1}, {2}.. and so on.

This syntax may work better for you:

| foreach x_* [ eval f_{{<<FIELD>>}}=if(isnotnull('<<FIELD>>'),1,null()) ]

or

| foreach x_* [ eval f_{{0}}=if(isnotnull('<<FIELD>>'),1,null()) ]

View solution in original post

Communicator

Have you tried this query in Splunk and made sure that it is working? In 1st query, the problem is "{<>}", If you want to include the braces, then you need to escape the braces using double braces

Motivator

Thanks, yes it works in Splunk.

0 Karma

Splunk Employee
Splunk Employee

Whenever you're using a Format Block within a playbook and the Template contains curly bracket characters "{" or "}" you will need to escape the characters by doubling the brackets "{{" or "}}"

This is due to how the template parameter variables are inserted - {0}, {1}, {2}.. and so on.

This syntax may work better for you:

| foreach x_* [ eval f_{{<<FIELD>>}}=if(isnotnull('<<FIELD>>'),1,null()) ]

or

| foreach x_* [ eval f_{{0}}=if(isnotnull('<<FIELD>>'),1,null()) ]

View solution in original post

Motivator

Thanks - rookie error in Phantom I guess - escaping the braces with double braces worked.

0 Karma