splunk.es.splunk_response_plan_info module – Gather information about Splunk Enterprise Security response plans
Note
This module is part of the splunk.es collection (version 5.1.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install splunk.es.
To use it in a playbook, specify: splunk.es.splunk_response_plan_info.
New in splunk.es 5.1.0
Synopsis
This module allows for querying information about Splunk Enterprise Security response plans.
Use this module to retrieve response plan configurations without making changes.
Query by
nameto filter response plans by exact name match.If
nameis not specified, returns all response plans.Returns complete response plan structure including all IDs (response plan ID, phase IDs, task IDs).
Note
This module has a corresponding action plugin.
Parameters
Parameter |
Comments |
|---|---|
The app portion of the Splunk API path for the response templates endpoint. Override this if your environment uses a different app name. Default: |
|
The namespace portion of the Splunk API path. Override this if your environment uses a different namespace. Default: |
|
The user portion of the Splunk API path. Override this if your environment requires a different user context. Default: |
|
Maximum number of response plans to return. If not specified, returns all matching response plans. Useful for limiting results when querying large numbers of response plans. |
|
Name to filter response plans. Returns the response plan with an exact name match. If not specified, returns all response plans. |
Examples
- name: Query all response plans
splunk.es.splunk_response_plan_info:
register: all_plans
- name: Query specific response plan by name
splunk.es.splunk_response_plan_info:
name: "Incident Response Plan"
register: result
- name: Query response plans with custom API path
splunk.es.splunk_response_plan_info:
api_namespace: "{{ es_namespace | default('servicesNS') }}"
api_user: "{{ es_user | default('nobody') }}"
api_app: "{{ es_app | default('missioncontrol') }}"
register: custom_plans
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
List of response plans matching the query Returned: always Sample: |
|
Description of the response plan Returned: success |
|
The unique ID of the response plan Returned: success |
|
Name of the response plan Returned: success |
|
List of phases in the response plan Returned: success |
|
The unique ID of the phase Returned: success |
|
Name of the phase Returned: success |
|
List of tasks in the phase Returned: success |
|
Description of the task Returned: success |
|
The unique ID of the task Returned: success |
|
Whether a note is required when completing the task Returned: success |
|
Name of the task Returned: success |
|
Owner of the task Returned: success |
|
List of saved searches attached to the task Returned: success |
|
Description of the search Returned: success |
|
Name of the search Returned: success |
|
The SPL query Returned: success |
|
The template ID of the response plan (used for investigation_type associations) Returned: when available |
|
Status of the response plan template (published or draft) Returned: success |