### Sample PSA Installation Command for Minikube Source: https://help.splunk.com/en/appdynamics-saas/end-user-monitoring/26.6.0/end-user-monitoring/synthetic-monitoring/install-the-private-synthetic-agent/set-up-psa-in-minikube An example of the PSA installation command with specific values filled in. This demonstrates how to populate the parameters for a typical Minikube setup. ```bash ./install_psa -e minikube -l -v -u -a -k -c DEL -d Delhi -t Delhi -s DEL -o India -i 28.70 -g 77.10 -p 23.5 -r 1 -z all -m 100Mi/500Mi -n 100Mi/100Mi -x 0.5/1.5 -y 0.1/0.1 -b 2Gi/2Gi -f 2/2 -q true -j 1024k -w 127.0.0.1:8887~127.0.0.1:8888~127.0.0.1:8889 -B "*abc.com;*xyz1.com;*xyz2.com" -C true -A serviceaccount-name -U 9001 -G 9001 -N true -F 9001 -O true ``` -------------------------------- ### Install Java Agent Example Source: https://help.splunk.com/en/appdynamics-on-premises/agent-management/25.4.0/smart-agent-command-line-utility/use-command-line-utility Example command to install a specific version of the Java Agent using the Smart Agent CLI. ```bash appd install java --version 23.9.0 ``` -------------------------------- ### Example Response for Container Labels Source: https://help.splunk.com/en/splunk-soar/soar-on-premises/rest-api-reference/8.5.0/system-settings-endpoints Example JSON response when retrieving container labels setup information. ```json { "events", "test_label" } ``` -------------------------------- ### Executing an Action with Parameters and Start Time Source: https://help.splunk.com/en/splunk-soar/soar-on-premises/python-playbook-api-reference/8.5.0/automation-api/playbook-automation-api This example demonstrates how to use the `phantom.act()` function to execute an action, specifying parameters and a future start time. ```APIDOC ## act ### Description Executes an action on specified assets or all applicable assets. ### Method `phantom.act(action, parameters=None, assets=None, tags=None, callback=None, reviewer=None, handle=None, start_time=None, name=None, asset_type=None, app=None)` ### Parameters * **action** (Required) - The name of the action to run. * **parameters** (Optional) - A list of dictionaries containing parameters for the action. * **assets** (Optional) - A list of asset IDs to run the action on. If not specified, the action runs on all possible assets. * **tags** (Optional) - A list of asset tags to specify which assets to run the action on. * **callback** (Optional) - A function to call upon completion of the action. * **reviewer** (Optional) - A username, email, or group for approval requests. * **handle** (Optional) - An object passed to the callback function. * **start_time** (Optional) - The datetime object for when the action should be scheduled for execution. * **name** (Optional) - A user-defined name for the action instance. * **asset_type** (Optional) - Specifies the type of assets to limit the action to. * **app** (Optional) - A dictionary specifying the app and version to use for the action, e.g., `{"name":"some_app_name", "version":"x.x.x"}`. ### Request Example ```python from datetime import datetime, timedelta params = [] params.append({'ip':'1.1.1.1'}) # schedule 'geolocate ip' 60 seconds from now when = datetime.now()+timedelta(seconds=60) phantom.act("geolocate ip", parameters=params, start_time=when) ``` ``` -------------------------------- ### Example Action Slash Command Source: https://help.splunk.com/en/splunk-soar/soar-on-premises/use-splunk-soar-on-premises/8.5.0/use-the-command-line-interface-to-perform-tasks-in-splunk-soar-on-premises Demonstrates a concrete example of an action slash command to geolocate an IP address using the 'MaxMind' app. ```bash /action geolocate_ip "MaxMind" 1.1.1.1 ``` -------------------------------- ### run_slash_command.pyc Usage and Examples Source: https://help.splunk.com/en/splunk-soar/soar-on-premises/use-splunk-soar-on-premises/8.5.0/use-the-command-line-interface-to-perform-tasks-in-splunk-soar-on-premises Provides the usage syntax for `run_slash_command.pyc` and lists several examples of how to execute various slash commands, including actions, playbooks, setting container names, adding notes, and inspecting artifacts. ```text run_slash_command.pyc USAGE: You will be prompted for authentication. You can set the following environment variables to avoid this: Environment: PH_AUTH_TOKEN: Authenticate using an auth token. PHANTOM_USERNAME: Authenticate with user name. Requires PHANTOM_PASSWORD set to avoid prompt. PHANTOM_PASSWORD: Authenticate with password. Hint: You can get the container ID from the phantom event UI, /mission// Examples: - phenv run_slash_command.pyc 1 /action geolocate_ip "MaxMind" 1.1.1.1 - phenv run_slash_command.pyc 1 /playbook 12 all - phenv run_slash_command.pyc 1 /set name "My Container Name" - phenv run_slash_command.pyc 1 /note "Errant IPs" IPs encountered include 'artifact:*.network.src_ip' - phenv run_slash_command.pyc 1 /inspect 'artifact:*' - phenv run_slash_command.pyc 1 /inspect '[1, 2, 3, 4, 5]' ``` -------------------------------- ### Create a Container using cURL Source: https://help.splunk.com/en/splunk-soar/soar-on-premises/rest-api-reference/8.5.0/container-endpoints/rest-containers This example demonstrates how to create a new container with various properties such as asset ID, description, due time, label, name, owner, sensitivity, severity, source data identifier, status, start time, open time, tags, and container type. The `run_automation` flag is set to false. ```bash curl -k -u soar_local_admin:changeme https://localhost/rest/container \ -d '{ "asset_id": 12, "artifacts": [ ], "custom_fields": {}, "data": { }, "description": "Useful description of this container.", "due_time": "2019-03-21T19:29:23.759Z", "label": "events", "name": "Example Container", "owner_id": "user@mail.example.com", "run_automation": false, "sensitivity": "red", "severity": "high", "source_data_identifier": "4", "status": "new", "start_time": "2019-03-21T19:28:13.759Z", "open_time": "2019-03-21T19:29:00.141Z", "tags": ["tag1", "tag2"], "container_type": "case" }' ``` -------------------------------- ### Retrieve Role - Example Response Source: https://help.splunk.com/en/splunk-soar/soar-on-premises/rest-api-reference/8.5.0/role-management-endpoints A successful GET request returns a JSON formatted list of key names and data for the specified role, detailing its permissions. ```json { execute: "deny", name: "container_label", extra: "archer incident", edit: "allow", object_id: null, role: 7, content_type: null, delete: "allow", id: 53, view: "allow" }, { execute: "deny", name: "repository", extra: "local", edit: "allow", object_id: 2, role: 7, content_type: 51, delete: "allow", id: 54, view: "allow" }, { execute: "deny", name: "tenant", extra: "DefaultTenant", edit: "allow", object_id: 0, role: 7, content_type: 20, delete: "allow", id: 55, view: "allow" } ``` -------------------------------- ### IPv6 Address Example for Automation Broker Source: https://help.splunk.com/en/splunk-soar/splunk-automation-broker/install-splunk-soar-automation-broker/splunk-soar-automation-broker-system-requirements This example shows how to format an IPv6 address when configuring network connectivity for the Automation Broker, particularly in dual-stack environments. ```text [2001:db8:3333:4444:5555:6666:7777:8888] ``` -------------------------------- ### Playbook Function Example Source: https://help.splunk.com/en/splunk-soar/soar-on-premises/python-playbook-api-reference/8.5.0/automation-api Example of defining and calling a playbook function, including setting inputs for a child playbook. ```python def playbook_file_analysis_1(action=None, success=None, container=None, results=None, handle=None, filtered_artifacts=None, filtered_results=None, custom_function=None, **kwargs): phantom.debug("playbook_file_analysis_1() called") inputs = { "file_hash": "09ca7e4eaa6e8ae9c7d261167129184883644d07dfba7cbfbc4c8a2e08360d5b", "file_name": "hello.txt", } # call playbook "local/file_analysis", returns the playbook_run_id playbook_run_id = phantom.playbook("local/file_analysis", container=container, inputs=inputs) ``` -------------------------------- ### Paginate through installed Splunkbase apps Source: https://help.splunk.com/en/splunk-cloud-platform/administer/admin-config-service-manual/10.4.2604/administer-splunk-cloud-platform-using-the-admin-config-service-acs-api/manage-splunkbase-apps-in-splunk-cloud-platform When dealing with a large number of installed apps, use the `offset` and `count` parameters in your GET request to paginate through the results. This example shows how to retrieve the next 100 apps starting from the 100th app. ```bash curl 'https://admin.splunk.com/{stack}/adminconfig/v2/apps/victoria?offset=100&count=100&splunkbase=true' ``` -------------------------------- ### Basic setup.xml.conf Structure Source: https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.2/configuration-file-reference/10.2.1-configuration-file-reference/setup.xml.conf This example demonstrates the basic structure of a setup.xml.conf file, including a block with text and input elements for configuring a saved search. ```xml some description here bool text list bool ``` -------------------------------- ### Sample Output of 'appdctl show boot' Source: https://help.splunk.com/en/appdynamics-on-premises/virtual-appliance-self-hosted/26.1.0/deploy-splunk-appdynamics-on-premises-virtual-appliance/vmware-vsphere This is an example of the expected output when running 'appdctl show boot'. It lists various setup components and their status. ```text NAME | STATUS | ERROR -------------------+-----------+------- firewall-setup | Succeeded | -- hostname | Succeeded | -- netplan | Succeeded | -- ssh-setup | Succeeded | -- storage-setup | Succeeded | -- cert-setup | Succeeded | -- enable-time-sync | Succeeded | -- microk8s-setup | Succeeded | -- cloud-init-config | Succeeded | -- ``` ```text NAME | STATUS | ERROR -------------------+-----------+------- firewall-setup | Succeeded | -- hostname | Succeeded | -- netplan | Succeeded | -- ssh-setup | Succeeded | -- storage-setup | Succeeded | -- cert-setup | Succeeded | -- enable-time-sync | Succeeded | -- microk8s-setup | Succeeded | -- cloud-init-config | Succeeded | -- ``` -------------------------------- ### Run Linux Enterprise Console Installer Source: https://help.splunk.com/en/appdynamics-on-premises/enterprise-console/25.4.0/upgrade-the-enterprise-console Execute the Enterprise Console setup script on Linux to start the upgrade process in GUI or console mode. ```bash ./platform-setup-64bit-linux.sh ``` -------------------------------- ### Sample Installation Output Source: https://help.splunk.com/en/appdynamics-on-premises/virtual-appliance-self-hosted/26.1.0/install-splunk-appdynamics-services-using-cli/standard-deployment This is a sample output showing the installed services, their charts, versions, and durations. ```text NAME CHART VERSION DURATION cert-manager-ext charts/cert-manager-ext 0.0.1 0s ingress-nginx charts/ingress-nginx 4.8.3 1s redis-ext charts/redis-ext 0.0.1 1s ingress charts/ingress 0.0.1 2s cluster charts/cluster 0.0.1 2s reflector charts/reflector 7.1.216 2s monitoring-ext charts/monitoring-ext 0.0.1 2s minio-ext charts/minio-ext 0.0.1 2s eum charts/eum 0.0.1 2s fluent-bit charts/fluent-bit 0.39.0 2s postgres charts/postgres 0.0.1 2s mysql charts/mysql 0.0.1 3s redis charts/redis 18.1.6 3s controller charts/controller 0.0.1 3s events charts/events 0.0.1 4s cluster-agent charts/cluster-agent 1.16.37 4s kafka charts/kafka 0.0.1 6s minio charts/minio 5.0.14 47s ``` -------------------------------- ### Get Fields with Wildcards using getfields Source: https://help.splunk.com/en/splunk-cloud-platform/search/spl2-search-reference/evaluation-functions/informational-functions Use the getfields function with wildcards to filter and collect statuses from servers. This example retrieves all fields starting with 'status_'. ```spl ... | eval serverData = getfields('status_*_*') ``` -------------------------------- ### Run Windows Enterprise Console Installer Source: https://help.splunk.com/en/appdynamics-on-premises/enterprise-console/25.4.0/upgrade-the-enterprise-console Execute the Enterprise Console setup executable on Windows to start the upgrade process in GUI mode. It is recommended to run as administrator. ```batch platform-setup-64bit-windows.exe ``` -------------------------------- ### Show Help for Create Platform Command (Linux) Source: https://help.splunk.com/en/appdynamics-on-premises/enterprise-console/25.4.0/administer-the-enterprise-console Run this command to view all available options and parameters for creating a platform on Linux. ```bash bin/platform-admin.sh create-platform -h ``` -------------------------------- ### Example App Response Source: https://help.splunk.com/en/splunk-soar/soar-cloud/rest-api-reference/app-endpoints A successful GET request to the /rest/app/ endpoint returns a JSON object containing detailed information about the app. This includes its version, configuration parameters, description, and installation details. ```json { "app_config_render": null, "product_version_regex": ".*", "python_version": "3.6", "uber_view": null, "disabled": false, "logo": "logo_abuseipdb.svg", "install_time": "2019-07-15T01:31:42.560831Z", "id": 112, "logo_dark": "logo_abuseipdb_dark.svg", "rest_handler": null, "appname": "-", "_pretty_invalid_assets": [], "version": 1, "_pretty_actions": [ { "description": "Report an IP for abusive behavior", "name": "post ip" }, { "description": "Queries IP info", "name": "lookup ip" }, { "description": "Validate the asset configuration for connectivity using supplied configuration", "name": "test connectivity" } ], "app_version": "1.0.9", "type": "reputation", "product_name": "AbuseIPDB", "description": "This app integrates with AbuseIPDB to perform investigative actions", "tags": [], "_pretty_asset_count": 1, "app_config": {}, "_pretty_install_time": "Jul 15 at 01:31 AM", "configuration": { "api_key": { "required": true, "description": "API Key", "data_type": "password" } }, "product_vendor": "AbuseIPDB", "publisher": "Splunk", "name": "AbuseIPDB", "release_tag": null, "consolidate_widgets": true, "appid": "52876771-17a7-45ad-8cc5-513bbd2172c5", "directory": "abuseipdb_52876771-17a7-45ad-8cc5-513bbd2172c5", "_pretty_dark_logo": "logo_abuseipdb_dark.svg", "require_auth_token": false, "main_module": "abuseipdb_connector.pyc", "known_versions": [ "1.0.9" ] } ``` -------------------------------- ### Install ATD Services (Demo Profile) Source: https://help.splunk.com/en/appdynamics-on-premises/virtual-appliance-self-hosted/26.1.0/install-splunk-appdynamics-services-using-cli/hybrid-deployment/install-services Installs ATD services using the demo profile. This is a quick way to set up for testing. ```bash appdcli start atd demo ``` -------------------------------- ### Get Automation Broker Response Example Source: https://help.splunk.com/en/splunk-soar/soar-cloud/rest-api-reference/automation-broker-endpoints Example JSON response for a successful GET request to retrieve Automation Broker information. ```json { "id": 6, "name": "foo", "owner": 1, "service_account": 10, "create_time": "2021-06-30T16:40:07.740125Z", "update_time": "2021-06-30T16:40:26.068649Z", "keys_rotated_time": "2021-06-30T16:40:26.067635Z", "type": "ACTION_BROKER", "version": "4.12.2.58336", "status": "complete", "last_seen_status": "inactive" } ``` -------------------------------- ### App details response example Source: https://help.splunk.com/en/splunk-cloud-platform/administer/admin-config-service-manual/10.4.2604/administer-splunk-cloud-platform-using-the-admin-config-service-acs-api/manage-private-apps-in-splunk-cloud-platform This JSON output indicates the status of an app installation. A status of 'installed' signifies successful completion. ```json { "label": "tos", "name": "tos", "status": "installed", "version": "" } ``` -------------------------------- ### Install Splunk Enterprise RPM (Example Custom Directory) Source: https://help.splunk.com/en/splunk-enterprise/administer/install-and-upgrade/10.4/install-splunk-enterprise-on-linux-or-macos An example of installing Splunk Enterprise into `/new_directory/splunk` using the `--prefix` argument. ```bash rpm -i --prefix=/new_directory splunk_package_name.rpm ``` -------------------------------- ### List Controller Install Parameters (Linux) Source: https://help.splunk.com/en/appdynamics-on-premises/controller-deployment/26.6.0/controller-deployment/install-the-controller-using-the-cli/install-the-controller-using-the-command-line Use this command on Linux to view the required and optional parameters for installing the Controller with a demo profile size. ```bash platform-admin.sh list-job-parameters --job install --service controller ```