Splunk SOAR (f.k.a. Phantom)

Data access(collect2) bug in phantom v6.1.0

dennyw
Engager

Please help comment on below issue 

Bug description:

Option limit is not processed correctly for phantom.collect2 in phantom version 6.1.0

Reproduce in lab:

testb = phantom.collect2(container=container,tags=["test"], datapath=['artifact:*.name'],limit=0)
phantom.debug(len(testb))

 

There are more than 6000 artifacts in test container

However, phantom.collect2 can only return 1999 results even though we set limit=0 which means no limit

 

Nov 09, 11:19:01 : phantom.collect2(): called for datapath['artifact:*.name'], scope: None and filter_artifacts: None
Nov 09, 11:19:01 : phantom.get_artifacts() called for label: *
Nov 09, 11:19:01 : phantom.collect(): called with datapath: artifact:* / <class 'str'>, limit = 2000, scope=all, filter_artifact_ids=[] and none_if_first=False with trace:False
Nov 09, 11:19:01 : phantom.collect(): calling out to collect_from_container
Nov 09, 11:19:01 : phantom.collect(): called with datapath 'artifact:*', scope='all' and limit=2000. Found 2000 TOTAL artifacts
Nov 09, 11:19:01 : phantom.collect2(): Classified datapaths as [<DatapathClassification.ARTIFACT: 1>]
Nov 09, 11:19:01 : phantom.collect(): called with datapath as LIST of paths, scope='all' and limit=0. Found 1999 TOTAL artifacts
Nov 09, 11:19:01 : 1999

 

 

 
 
 
 
Labels (1)
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...