splunk.es.splunk_response_plan_execution_info module – Gather information about applied response plans on an investigation
Note
This module is part of the splunk.es collection (version 5.1.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install splunk.es.
To use it in a playbook, specify: splunk.es.splunk_response_plan_execution_info.
New in splunk.es 5.1.0
Synopsis
This module retrieves information about response plans applied to a Splunk Enterprise Security investigation.
Returns the complete structure of applied response plans including phases and task statuses.
Use this module to query the current state of response plan execution without making changes.
Note
This module has a corresponding action plugin.
Parameters
Parameter |
Comments |
|---|---|
The app portion of the Splunk API path. Override this if your environment uses a different app name. Default: |
|
The namespace portion of the Splunk API path. Override this if your environment uses a different namespace. Default: |
|
The user portion of the Splunk API path. Override this if your environment requires a different user context. Default: |
|
The investigation UUID to query for applied response plans. This is the unique identifier of the investigation (incident). |
Examples
- name: Get applied response plans for an investigation
splunk.es.splunk_response_plan_execution_info:
investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
register: result
- name: Display applied response plans
debug:
var: result.applied_response_plans
- name: Query with custom API path
splunk.es.splunk_response_plan_execution_info:
investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
api_namespace: "{{ es_namespace | default('servicesNS') }}"
api_user: "{{ es_user | default('nobody') }}"
api_app: "{{ es_app | default('missioncontrol') }}"
register: custom_result
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
List of response plans applied to the investigation Returned: always Sample: |
|
Description of the response plan Returned: success |
|
The unique ID of the applied response plan instance Returned: success |
|
Name of the response plan Returned: success |
|
List of phases in the applied response plan Returned: success |
|
The unique ID of the phase Returned: success |
|
Name of the phase Returned: success |
|
List of tasks in the phase Returned: success |
|
Description of the task Returned: success |
|
The unique ID of the task Returned: success |
|
Whether a note is required when completing the task Returned: success |
|
Name of the task Returned: success |
|
Owner/assignee of the task. Use Returned: success |
|
Current status of the task. Values are Returned: success |
|
The ID of the response plan template this was created from Returned: success |
|
Always returns false as this is an info module Returned: always Sample: |