Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk SOAR
- :
- Phantom: How can I use a format block to format th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using Phantom to submit a Splunk query and I can get the results from the action_result.data artifact. Those results are stored in the form of JSON:
[{"Name": "Alex", "Title": "Developer"},{"Name": "Thomas", "Title": "Administrator"}]
What format template would I use in a format block in order to turn that artifact into this?
Alex is the team's Developer.
Thomas is the team's Administrator.
I can reference the JSON itself in the template as {0}, but I don't see a way to iterate through list of items, or within an item, reference the keys/values.
Thanks
--Alex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured it out.
If you run a Splunk query with a 'run query' block: "sourcetype=teammates | table Name, Title"
You can connect the query block to a format block, and reference each field displayed from your Splunk results as a separate parameter in the template parameters:
0 = run_query_1:action_result.data..Name
1 = run_query_1:action_result.data..Title
The field names are case sensitive
Then within the format block in the template itself, use the double-percent notation to designate the template as an iterable list, and reference the various fields from the Splunk query as {0}, {1}, etc. as defined in the template:
%%
{0} is a {1} on the team.
%%
Result:
Alex is a developer on the team.
Thomas in a manager on the team.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured it out.
If you run a Splunk query with a 'run query' block: "sourcetype=teammates | table Name, Title"
You can connect the query block to a format block, and reference each field displayed from your Splunk results as a separate parameter in the template parameters:
0 = run_query_1:action_result.data..Name
1 = run_query_1:action_result.data..Title
The field names are case sensitive
Then within the format block in the template itself, use the double-percent notation to designate the template as an iterable list, and reference the various fields from the Splunk query as {0}, {1}, etc. as defined in the template:
%%
{0} is a {1} on the team.
%%
Result:
Alex is a developer on the team.
Thomas in a manager on the team.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How would you like the output to be formatted? Presumably something like a table/csv?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The output will be part of the body of an email that Phantom will send out. Either a table or lines of plaintext will work fine for my purposes. I've figured out how to reference the JSON that represents the records returned by the Splunk query, and from there I customized the Format block with some Python that iterates through with a for loop to create an HTML table.
However, I'd like to use only the template to iterate through the JSON instead of custom code in the format block, and I've read that a "%%" in the template can accomplish this, but I haven't gotten it to work - that's really what I'm after.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
