Splunk SOAR (f.k.a. Phantom)

Phantom: How can I use a format block to format the results of a Splunk query?

AlexBryant
Path Finder

I am using Phantom to submit a Splunk query and I can get the results from the action_result.data artifact. Those results are stored in the form of JSON:

[{"Name": "Alex", "Title": "Developer"},{"Name": "Thomas", "Title": "Administrator"}]

What format template would I use in a format block in order to turn that artifact into this?

Alex is the team's Developer.
Thomas is the team's Administrator.

I can reference the JSON itself in the template as {0}, but I don't see a way to iterate through list of items, or within an item, reference the keys/values.

Thanks
--Alex

Labels (2)
Tags (1)
0 Karma
1 Solution

AlexBryant
Path Finder

I figured it out.

If you run a Splunk query with a 'run query' block: "sourcetype=teammates | table Name, Title"

You can connect the query block to a format block, and reference each field displayed from your Splunk results as a separate parameter in the template parameters:

0 = run_query_1:action_result.data..Name
1 = run_query_1:action_result.data..Title
The field names are case sensitive

Then within the format block in the template itself, use the double-percent notation to designate the template as an iterable list, and reference the various fields from the Splunk query as {0}, {1}, etc. as defined in the template:

%%
{0} is a {1} on the team.
%%

Result:
Alex is a developer on the team.
Thomas in a manager on the team.

View solution in original post

AlexBryant
Path Finder

I figured it out.

If you run a Splunk query with a 'run query' block: "sourcetype=teammates | table Name, Title"

You can connect the query block to a format block, and reference each field displayed from your Splunk results as a separate parameter in the template parameters:

0 = run_query_1:action_result.data..Name
1 = run_query_1:action_result.data..Title
The field names are case sensitive

Then within the format block in the template itself, use the double-percent notation to designate the template as an iterable list, and reference the various fields from the Splunk query as {0}, {1}, etc. as defined in the template:

%%
{0} is a {1} on the team.
%%

Result:
Alex is a developer on the team.
Thomas in a manager on the team.

sam_splunk
Splunk Employee
Splunk Employee

How would you like the output to be formatted? Presumably something like a table/csv?

0 Karma

AlexBryant
Path Finder

The output will be part of the body of an email that Phantom will send out. Either a table or lines of plaintext will work fine for my purposes. I've figured out how to reference the JSON that represents the records returned by the Splunk query, and from there I customized the Format block with some Python that iterates through with a for loop to create an HTML table.

However, I'd like to use only the template to iterate through the JSON instead of custom code in the format block, and I've read that a "%%" in the template can accomplish this, but I haven't gotten it to work - that's really what I'm after.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...