Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I pass a dictionary into a Format Code Block - error in expanding

nongingerale
Explorer
‎04-19-2023 07:22 PM

Hello - I'm trying to pass a dictionary into a format code block:

for example:
my_dict = {"hello":"world", "foo":"bar"}

and in the format code block i have:

Contents of dictionary:
{0}

where 0 is mycodeblockname:custom_function:my_dict.hello

and I receive a "error in expanding mycodeblockname:custom_function:my_dict.hello" message. I also tried using :, 0.hello, etc and it hasnt worked. Any suggestions are appreciated. i know that if I pass a dictionary or list from an action block then this works but a custom function doesnt work from what i can see

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎04-20-2023 01:12 AM

@nongingerale there are a few possibilities why this might not be working. I tested it and it worked as expected for me so here is how i tested it:

Created a CF with a dict output:

phanTom_0-1681978224049.png


Built a scratch playbook to use the CF:

phanTom_1-1681978299997.png

 

Then outputted the value to a comment:

phanTom_2-1681978336120.png


Hopefully something in there may help point out the issue.

-- If this solved your issue please mark as a solution for others. Happy SOARing --

View solution in original post

Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎04-20-2023 05:59 AM

@nongingerale yeah the Code Blocks have never been able to have nested JSON understood downstream. Only the new Custom Functions can as it can be a way to get around the limit of 10 outputs. 

Thanks for marking as a solution! 

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎04-20-2023 01:12 AM

@nongingerale there are a few possibilities why this might not be working. I tested it and it worked as expected for me so here is how i tested it:

Created a CF with a dict output:

phanTom_0-1681978224049.png


Built a scratch playbook to use the CF:

phanTom_1-1681978299997.png

 

Then outputted the value to a comment:

phanTom_2-1681978336120.png


Hopefully something in there may help point out the issue.

-- If this solved your issue please mark as a solution for others. Happy SOARing --

Reply
Solved! Jump to solution

nongingerale
Explorer
‎04-20-2023 05:54 AM

thanks! that worked once i created a custom function (as opposed to passing the dictionary from a custom code block).

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...