Splunk app for Phantom supports running a query on Splunk.
I am trying to use foreach in my query, but the action fails with an error
| foreach x_* [ eval f_{<<FIELD>>}=if(isnotnull('<<FIELD>>'),1,null()) ]
The error I get is
Fri Nov 01 2019 17:15:01 GMT+1100 (Australian Eastern Daylight Time): phantom.format(): Unexpected error in format(): Traceback (most recent call last):
File "../pylib/phantom/rules.py", line 1119, in format
File "../pylib/phantom/rules.py", line 188, in encode_all_parameters
File "../pylib/phantom/rules.py", line 1257, in expand_template_
KeyError: '<<FIELD>>'
Fri Nov 01 2019 17:15:01 GMT+1100 (Australian Eastern Daylight Time): '<<FIELD>>'
Any ideas how to get this through. I tried writing an expanded version of the foreach, i.e.
| eval f_{x_0}=if(isnotnull(x_0), 1, null())...
but that also failed with
Fri Nov 01 2019 17:19:23 GMT+1100 (Australian Eastern Daylight Time): phantom.format(): Unexpected error in format(): Traceback (most recent call last):
File "../pylib/phantom/rules.py", line 1119, in format
File "../pylib/phantom/rules.py", line 188, in encode_all_parameters
File "../pylib/phantom/rules.py", line 1257, in expand_template_
KeyError: 'x_0'
Fri Nov 01 2019 17:19:23 GMT+1100 (Australian Eastern Daylight Time): 'x_0'
Whenever you're using a Format Block within a playbook and the Template contains curly bracket characters "{" or "}" you will need to escape the characters by doubling the brackets "{{" or "}}"
This is due to how the template parameter variables are inserted - {0}, {1}, {2}.. and so on.
This syntax may work better for you:
| foreach x_* [ eval f_{{<<FIELD>>}}=if(isnotnull('<<FIELD>>'),1,null()) ]
or
| foreach x_* [ eval f_{{0}}=if(isnotnull('<<FIELD>>'),1,null()) ]
Have you tried this query in Splunk and made sure that it is working? In 1st query, the problem is "{<>}", If you want to include the braces, then you need to escape the braces using double braces
Thanks, yes it works in Splunk.
Whenever you're using a Format Block within a playbook and the Template contains curly bracket characters "{" or "}" you will need to escape the characters by doubling the brackets "{{" or "}}"
This is due to how the template parameter variables are inserted - {0}, {1}, {2}.. and so on.
This syntax may work better for you:
| foreach x_* [ eval f_{{<<FIELD>>}}=if(isnotnull('<<FIELD>>'),1,null()) ]
or
| foreach x_* [ eval f_{{0}}=if(isnotnull('<<FIELD>>'),1,null()) ]
Thanks - rookie error in Phantom I guess - escaping the braces with double braces worked.