Splunk SOAR
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

can't add artifact field with message parameter

meshorer
Path Finder
‎03-14-2024 01:56 AM

hello all!

I am trying to add  field to an artifact with "update artifact" action (phantom app).

i am trying to add a 'message parameter' in the 'value' at the cef_json field:

for example:

{"new_field": {0}}

but unfortunately I get "key_error" and the action failed. 

how can I solve it?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎03-14-2024 02:05 AM

@meshorer  when using the format input or format block for JSON you need to use double { & } and encase the value in " such as the below (which I just tested):

{{"new_field": "{0}"}}

Note that you don't need to double the {&} on the {0} as it's a replacement element but the actual JSON elements will need escaping in this way, even if you had nested JSON like the below:

{{"new_field": {{"sub_field": "{0}"}}}}

-- Hope this helps! If so please mark as a solution for future SOARers. Happy SOARing! --

View solution in original post

Tags (3)
0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎03-14-2024 02:05 AM

@meshorer  when using the format input or format block for JSON you need to use double { & } and encase the value in " such as the below (which I just tested):

{{"new_field": "{0}"}}

Note that you don't need to double the {&} on the {0} as it's a replacement element but the actual JSON elements will need escaping in this way, even if you had nested JSON like the below:

{{"new_field": {{"sub_field": "{0}"}}}}

-- Hope this helps! If so please mark as a solution for future SOARers. Happy SOARing! --

Tags (3)
0 Karma
Reply
Solved! Jump to solution

meshorer
Path Finder
‎03-14-2024 02:19 AM

@phanTom thak you so much!

could you also tell me how to add two fields in the same action?

0 Karma
Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎03-14-2024 02:22 AM

@meshorer just add more keys & values to the JSON string 😁

{{"new_field1": "{0}", "new_field2": "{1}"}}

 

 

0 Karma
Reply
Solved! Jump to solution

meshorer
Path Finder
‎03-14-2024 02:25 AM

@phanTom  yeah I got confused with the escaped "{} ".

you are the best!

Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...