Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to update an artifact field?

scorsatto
Explorer
‎11-01-2022 12:12 PM

is there an option to update the value of a specific field within a specific artifact? I was able to update using phantom update_artifact action or with a REST call, but when the field is updated it also delete the other existent fields in that artifact.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scorsatto
Explorer
‎11-07-2022 08:10 AM

Thanks @Dave_Burns and @phanTom. that exact what I did, I've created a new CF that get all the data from the artifact first, after that changes the fields I want and then I can use this CF payload result in the update artifact action. it seems the interface always replace the whole artifact data with whatever you post, this is not very clear on the documentation of the app

View solution in original post

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎11-07-2022 07:37 AM

@scorsatto @Dave_Burns I am not sure what version you may be on but the update_artifact action on the Phantom Phantom app does update and doesn't overwrite, unless you tick the box. 

I simply put the JSON of the field I wanted to update in the 'cef_json' field and it updated and didn't overwrite. 

phanTom_2-1667835459241.png

 

phanTom_0-1667835437156.png

phanTom_1-1667835447182.png

Bear in mind if you are trying to add the same CEF field to an existing artifact, it won't work as you would need a new artifact. If you use update artifact to ADD the same field with a different value, then it will overwrite due to the above. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

licroBI_0x1
Explorer
‎02-24-2023 07:16 AM

Hi, saw the answers and they are very close to what I also need but I would additionally want to place new key:value pair under the already existing key.

E.g. Add new key "test" under existing "test_header"

"cef": {
"test_header": {
      "test": "value"

 

0 Karma
Reply
Solved! Jump to solution

Dave_Burns
Path Finder
‎11-07-2022 07:41 AM

@phanTom 

Good to know. When I was trying to do that before, that was back in 4.6.X something. It's been awhile. 

@scorsatto Listen to him! He's got the evidence. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Dave_Burns
Path Finder
‎11-07-2022 07:23 AM

The interfaces only seem to update the entire artifact. 

You could create a custom function where you provide the artifact id, field to change, and new value. 

It fetches the entire artifact first, change the field value, and then "re-save" that artifact. 

That way you have something modular if you need to do it again in the future. 

0 Karma
Reply
Solved! Jump to solution
Solution

scorsatto
Explorer
‎11-07-2022 08:10 AM

Thanks @Dave_Burns and @phanTom. that exact what I did, I've created a new CF that get all the data from the artifact first, after that changes the fields I want and then I can use this CF payload result in the update artifact action. it seems the interface always replace the whole artifact data with whatever you post, this is not very clear on the documentation of the app

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...