About luffy

luffy

I'm using phantom vault api to add files. However, after adding a few files, each with different names due to timestamps, there are cases where there are duplicate vaultIDs for different files. This is the code I've been using to add files to an event. timestamp = datetime.now().strftime("%Y%m%d_%H%M%S") FILE_NAME = f"TestUser_{timestamp}.html" FILE_PATH = f"/opt/phantom/vault/tmp/{FILE_NAME}" with open(FILE_PATH, "w", encoding="utf-8") as file: file.write(html_file) success, message, vault_id = phantom.vault_add( file_location=FILE_PATH, file_name=FILE_NAME, metadata={"contains": ["HTML File"]} )

luffy · ‎09-24-2025

I have a regex to extract filename from object field. This works completely fine in Search. index="test" | rex field=object "(?P<fileName>[^\\\]+)$" However, when I try to input the below custom code in Splunk SOAR, it always returns an error "HTTP 400 Bad Request -- Error in 'rex' command: Encountered the following error while compiling the regex '(?P<fileName>[^\\]+)$': Regex: missing terminating ] for character class." sql_search_query=rf""" index="test" | rex field=object "(?P<fileName>[^\\\]+)$" """ parameters = [] parameters.append({ "command": "search", "search_mode": "smart", "add_raw_field": False, "query": sql_search_query, "parse_only": True, "start_time": "-90d", "end_time": 0, })

Posts	2
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎09-24-2025

Online Status	Offline
Date Last Visited	3 weeks ago

Why are vault IDs in Splunk SOAR not unique?

Regex Error with Splunk SOAR/Phantom

Why are vault IDs in Splunk SOAR not unique?

Regex Error with Splunk SOAR/Phantom

Join the Conversation

Why are vault IDs in Splunk SOAR not unique?

Regex Error with Splunk SOAR/Phantom

Why are vault IDs in Splunk SOAR not unique?

Regex Error with Splunk SOAR/Phantom