Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk SOAR
- :
- API Filtering in Splunk SOAR - Access child elemen...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Working on a use case which entails finding All containers/artifacts that match certain field conditions.
The idea is to run an API query against SOAR artifact end point to get all the artifacts and use the returned artifact fields in further fulfilling automation.
A few questions in this respect
1)Does SOAR support API filtering like described in this article - https://medium.com/@lovely_peel_hamster_92/splunk-phantom-rest-api-filters-956a58854bfc
Specifically the ability to access child objects in JSON. Documentation does not seem to mention anything about accessing child objects.
https://docs.splunk.com/Documentation/Phantom/4.10.7/PlatformAPI/RESTQueryData
3)Also when filters are applied, we seem to lose the ability to restrict the output to a list of fields. It returns the entire JSON while the requirement is for specific fields.
What we are actually trying to achieve -
Check for closed SNow INCs and close corresponding Splunk ES notables, and SOAR containers.
We have broken down the approach into modules and have the component parts working but the aforementioned filtering is tripping us up - Solving the problem will help us complete the playbook.
I also found this and we are attempting something very similar - https://community.splunk.com/t5/Splunk-SOAR/Playbook-run-on-bulk-events/m-p/667251. Again, the filtering is key to completing this.
Also, open to suggestions on approach to achieve the above. Thanks! in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@SOARt_of_Lost Appreciate the response. I have since figured out exactly what we want to achieve. The key to achieving it was figuring out how the value is passed to the filter.
The DJANGO 'in' filter expects a comma even if just one value is found for the custom field
So the python script in the custom function looks at
/rest/artifacts?_filter_cef__<our_custom_field>__in="a","b","c","d"&page_size=0 for multiple values &
/rest/artifacts?_filter_cef__<our_custom_field>__in="a",&page_size=0 when a single value is found.
As for the filter outputs to restrict fields, we eventually achieved that in the function output. The plan was to restrict values/volume of data return but oh well, wasn't working any which way! so function output was the way to go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@SOARt_of_Lost Going by your profile name, would appreciate your thoughts on this question as well! TIA
https://community.splunk.com/t5/Splunk-SOAR/Splunk-SOAR-access-environment-variables/td-p/741231
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@SOARt_of_Lost Appreciate the response. I have since figured out exactly what we want to achieve. The key to achieving it was figuring out how the value is passed to the filter.
The DJANGO 'in' filter expects a comma even if just one value is found for the custom field
So the python script in the custom function looks at
/rest/artifacts?_filter_cef__<our_custom_field>__in="a","b","c","d"&page_size=0 for multiple values &
/rest/artifacts?_filter_cef__<our_custom_field>__in="a",&page_size=0 when a single value is found.
As for the filter outputs to restrict fields, we eventually achieved that in the function output. The plan was to restrict values/volume of data return but oh well, wasn't working any which way! so function output was the way to go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for linking that article, I haven't seen it and it's got some handy tips.
1) Yes, this works.
3) Unfortunately, that seems to be the tradeoff based on what you're trying to do. When you filter (rest/artifact) you're look for any artifacts which match your search results. When you request object detail, (rest/artifact/5/name) you're restricting your results to artifact 5 specifically.
Based on your question, I'm guessing you're going to want something along these lines:
/rest/artifact?_filter_cef__destinationAddress={SNow CI}&page_size=0
I don't think you'll be able to get of looping through your results one way or another.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for linking that article, I haven't seen it and it's got some handy tips.
1) Yes. In my limited testing, this works.
3) Unfortunately, that seems to be the tradeoff based on what you're trying to do. When you filter (rest/artifact) you're look for any artifacts which match your search results. When you request object detail, (rest/artifact/5/name) you're restricting your results to artifact 5 specifically.
If you want to give an example of your specific flow, we can probably come up with a more detailed answer. I'm guessing you're going to want something roughly along these lines:
/rest/artifact?_filter_cef__destinationAddress={SNOW INC CI}&_filter_status="new"&page_size=0
Unfortunately, I don't think you'll be able to avoid looping through the results one way or another.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
