Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Container automation API compatibility with custom functions

jeffrey_berry
Path Finder
‎06-14-2024 12:10 PM

Per the Container automation API docs , "the update API is supported from within a custom function". However for the following code, the "Validate" fails with "Undefined variable 'container' "

update_data = {}
update_data['name'] = 'new container name'
phantom.update(container, update_data)

What is the fix?

Labels (1)
Labels
0 Karma
Reply

jeffrey_berry
Path Finder
‎06-14-2024 05:22 PM

def change_event_name(container=None, **kwargs):
"""
Args:
container

Returns a JSON-serializable object that implements the configured data paths:

"""

############################ Custom Code Goes Below This Line #################################
import json
import phantom.rules as phantom

outputs = {}

# Write your custom code here...
update_data = {}
update_data['name'] = 'new container name'
phantom.update(container, update_data)

# Return a JSON-serializable object
assert json.dumps(outputs) # Will raise an exception if the :outputs: object is not JSON-serializable
return outputs
0 Karma
Reply

P_vandereerden
Splunk Employee
Splunk Employee
‎06-14-2024 02:20 PM

I don't know this area well, but the error suggests an issue with "container", and not "update". Within your custom function you are using container, but it would seem it's not defined. How are you passing "container" into your function? 

Paul van der Eerden,
Breaking software for over 20 years.
0 Karma
Reply

jeffrey_berry
Path Finder
‎06-14-2024 05:21 PM

I tried passing the container class object as an input (item or list type) and not passing as an input also, but it does not work either way. The entire custom function with passing a container class object input is below. The error from debugging the playbook is below. Since the only custom function input types are item or list, it appears that it is not possible to pass a class object type as a custom function input. If so, I would guess that an unknown phantom function needs to be executed in the custom function that returns the container class object.

Does anyone if a phantom class object function (or some other Splunk SOAR Python library function) exists that returns the container class object? Or some other way to get the phantom.update() function to work within a custom function?

def change_event_name(**kwargs):
"""
Returns a JSON-serializable object that implements the configured data paths:

"""
############################ Custom Code Goes Below This Line #################################
import json
import phantom.rules as phantom

outputs = {}

# Write your custom code here...
update_data = {}
update_data['name'] = 'new container name'
phantom.update(container, update_data)

# Return a JSON-serializable object
assert json.dumps(outputs) # Will raise an exception if the :outputs: object is not JSON-serializable
return outputs

 

Jun 14, 19:04:13 : CustomFunctionRun with id=4043 FAILED: The custom function run is being marked failed because all of its constituent results failed Error: Encountered an unhandled exception in custom function "change_event_name" for the parameter dictionary at index=0: {'container': 'container'} Traceback (most recent call last): File "change_event_name", line 56, in cfentry File "lib3/phantom/decided/playbook_resource_score.py/playbook_resource_score.py", line 123, in _wrapper File "change_event_name", line 21, in change_event_name File "lib3/phantom/api/container/api_update.py/api_update.py", line 118, in update File "lib3/phantom/utils.py/utils.py", line 1166, in inner File "lib3/phantom/api/container/api_update.py/api_update.py", line 125, in _update TypeError: string indices must be integers

Tags (1)
0 Karma
Reply

SOARt_of_Lost
Path Finder
‎06-18-2024 11:05 AM

I wish I had a better answer for you, but after doing some testing, phantom.update() just doesn't seem to want to work from within a custom function. There are other functions which have the same problem but it's usually called out in the documentation. 

What you've written works perfectly from within a custom code block in a playbook. You may just need to make a single block playbook you can call from a parent if you're planning to use this in multiple places.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...