Splunk Tech Talks
Deep-dives for technical practitioners.

Splunk Phantom: Put the Fun in Custom Functions

melissap
Splunk Employee
Splunk Employee

View the Tech Talk: Security Edition, Splunk Phantom: Put the Fun in Custom Functions 

Do you want an easier way to personalize and share playbooks in Splunk Phantom? Our latest revision to custom functions allows shareable custom code across playbooks and the introduction of complex data objects into the playbook execution path. These aren’t just out-of the-box playbooks, but out-of-the-box custom blocks that save you time and effort. This allows for centralized code management and version control of custom functions. These capabilities provide the building blocks for scaling your automation, even to those without coding capabilities. You can create your own custom functions, or use our pre-packaged custom code blocks.

Tune in to learn:

  • How Splunk delivers custom code blocks to you with Phantom.
  • How to centrally manage and reuse your code so you never have to reinvent the wheel again.
  • How you can use custom functions as building blocks to scale out automation within your organization.
  • How to action custom functions with a live demo.

Tech Talk discussions remain open for two weeks following the live Tech Talk event. Have more questions? Check out our Phantom conversations in Splunk Answers community for more!

melissap
Splunk Employee
Splunk Employee

Here are some of the questions from the live session in July.

Recapping for all.

Q: How to change a legacy custom function to the other custom function? I can't add the input from the data from a whoIs domain check.
A: You'll have to manually migrate from legacy custom functions to "new" custom functions. Can you elaborate on the second part of your statement? If I'm understanding correctly, you want to take the whole output from whois, and include that as input to the "new" custom function. If that's the case, absolutely you can do that. Just make an input parameter called "whois_results" and then in the playbook, pass in something like - whois_domain_1:action_result.data
 
Q: Love the "Validate" button in the custom code editor, Is there a validate button added to the Playbook editor as well?
A: When you save a playbook, validate is automatically run against your playbook. But there is no "validate" button currently built in.
 
Q: How do I pass it in?
A: Let's say you build a custom function with "whois_results" as an input. You'd first run your "whois domain" action in your Phantom playbook. Then you'd connect that action to your custom function. In the "whois_results" parameter you'd select a data-path like "whois_domain_1:action_result.data" which returns ALL of the results from your "whois domain" action, rather than just one specific field.
 
melissap
Splunk Employee
Splunk Employee

Here are additional resources to continue your journey.