Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I pass a dictionary into a Format Code Block - error in expanding

nongingerale
Explorer
‎04-19-2023 07:22 PM

Hello - I'm trying to pass a dictionary into a format code block:

for example:
my_dict = {"hello":"world", "foo":"bar"}

and in the format code block i have:

Contents of dictionary:
{0}

where 0 is mycodeblockname:custom_function:my_dict.hello

and I receive a "error in expanding mycodeblockname:custom_function:my_dict.hello" message. I also tried using :, 0.hello, etc and it hasnt worked. Any suggestions are appreciated. i know that if I pass a dictionary or list from an action block then this works but a custom function doesnt work from what i can see

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎04-20-2023 01:12 AM

@nongingerale there are a few possibilities why this might not be working. I tested it and it worked as expected for me so here is how i tested it:

Created a CF with a dict output:

phanTom_0-1681978224049.png


Built a scratch playbook to use the CF:

phanTom_1-1681978299997.png

 

Then outputted the value to a comment:

phanTom_2-1681978336120.png


Hopefully something in there may help point out the issue.

-- If this solved your issue please mark as a solution for others. Happy SOARing --

View solution in original post

Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎04-20-2023 05:59 AM

@nongingerale yeah the Code Blocks have never been able to have nested JSON understood downstream. Only the new Custom Functions can as it can be a way to get around the limit of 10 outputs. 

Thanks for marking as a solution! 

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎04-20-2023 01:12 AM

@nongingerale there are a few possibilities why this might not be working. I tested it and it worked as expected for me so here is how i tested it:

Created a CF with a dict output:

phanTom_0-1681978224049.png


Built a scratch playbook to use the CF:

phanTom_1-1681978299997.png

 

Then outputted the value to a comment:

phanTom_2-1681978336120.png


Hopefully something in there may help point out the issue.

-- If this solved your issue please mark as a solution for others. Happy SOARing --

Reply
Solved! Jump to solution

nongingerale
Explorer
‎04-20-2023 05:54 AM

thanks! that worked once i created a custom function (as opposed to passing the dictionary from a custom code block).

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...