Splunk SOAR (f.k.a. Phantom)

Phantom Prompt Block: When using the response type 'list', is there a way to have #1 be set as the default response?

ktsplunksoar
New Member

Not sure if this is a limitation of Phantom prompt block or if someone has figured this out already.

I am using a prompt block to allow a user build up a config file that will eventually be sent to Splunk to create a saved search. The questions allow the user to select specific values for fields to generate the metadata necessary for the splunk saved search (splunk query, time fields, eval fields, etc). 

The response type for the question is a list of choices. There are two choices:

  1. The existing field value (which comes from the config file that was pulled via prior action call)
  2. CHANGE (which would be selected when the value needs to be changed)

When using the response type 'list', is there a way to have #1 be set as the default response? Therefore, you would only have to select CHANGE from the drop down, rather than having to select the existing field's value every time if it doesn't need changed.

Labels (2)
0 Karma

phantom_mhike
Path Finder

@ktsplunksoar,
@phanTom 100 percent correct on this whether we are talking about supported or unsupported options. I have tried every version I can think of for hacking together a short circuit in prompts with a default or an auto fill. Without a feature addition, there is no way to do this.

0 Karma

phanTom
SplunkTrust
SplunkTrust

@ktsplunksoar unfortunately ALL prompt responses need to be filled before it will allow progression and there is no "default" setting for prompts at present. 

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...