Splunk SOAR (f.k.a. Phantom)

Exception: Operation not permitted: '/opt/phantom/local_data/app_states ...

New Member

Using the app user interface introduced in, when running the app from this interface, it fails saving state.

This is a new feature in 5.1 which does not exist in 5.0. When running the app from an event, there is no issue. Looking at the state directory, there are temporary files created in the directory for each failed execution.

Note: there is a permission error chmod_func(dst, stat.S_IMODE(st.st_mode))\r\nPermissionError: [Errno 1] likely the root cause of the issue.

{"identifier": "retrieve flows", "result_data": [{"data": [], "extra_data": [], "summary": {}, "status": "failed", "message": "Could not retrieve Tenants(Domains)", "parameter": {"timespan": 60, "start_time": "2022-01-24T15:30:00Z", "record_limit": 2000, "malicious_ip": ""}, "context": {}}], "result_summary": {"total_objects": 1, "total_objects_successful": 0}, "status": "failed", "message": "Exception Occurred. [Errno 1] Operation not permitted: '/opt/phantom/local_data/app_states/eac976c5-c8d7-4b77-9fdd-52bab068679c/9_state.json'.\r\nTraceback (most recent call last):\r\n  File \"../pylib/phantom/base_connector.py\", line 3252, in _handle_action\r\n  File \"/opt/phantom/apps/ciscosecurenetworkanalytics_eac976c5-c8d7-4b77-9fdd-52bab068679c/ciscosecurenetworkanalytics_connector.py\", line 458, in finalize\r\n    self.save_state(self._state)\r\n  File \"../pylib/phantom/base_connector.py\", line 2978, in save_state\r\n  File \"/opt/phantom/usr/python36/lib/python3.6/shutil.py\", line 246, in copy\r\n    copymode(src, dst, follow_symlinks=follow_symlinks)\r\n  File \"/opt/phantom/usr/python36/lib/python3.6/shutil.py\", line 144, in copymode\r\n    chmod_func(dst, stat.S_IMODE(st.st_mode))\r\nPermissionError: [Errno 1] Operation not permitted: '/opt/phantom/local_data/app_states/eac976c5-c8d7-4b77-9fdd-52bab068679c/9_state.json'", "exception_occured": true, "action_cancelled": false}
Traceback (most recent call last):


File "ciscosecurenetworkanalytics_eac976c5-c8d7-4b77-9fdd-52bab068679c/eac976c5-c8d7-4b77-9fdd-52bab068679c_2022_01_25_02_38_01.py", line 32, in <module>
    raise Exception("Action Failed")
Exception: Action Failed


There is no issue with the code in as this user interface does not exist. The code functions fine from the shell/CLI or from the events screen.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...