Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I pass a dictionary into a Format Code Block - error in expanding

nongingerale
Explorer
‎04-19-2023 07:22 PM

Hello - I'm trying to pass a dictionary into a format code block:

for example:
my_dict = {"hello":"world", "foo":"bar"}

and in the format code block i have:

Contents of dictionary:
{0}

where 0 is mycodeblockname:custom_function:my_dict.hello

and I receive a "error in expanding mycodeblockname:custom_function:my_dict.hello" message. I also tried using :, 0.hello, etc and it hasnt worked. Any suggestions are appreciated. i know that if I pass a dictionary or list from an action block then this works but a custom function doesnt work from what i can see

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎04-20-2023 01:12 AM

@nongingerale there are a few possibilities why this might not be working. I tested it and it worked as expected for me so here is how i tested it:

Created a CF with a dict output:

phanTom_0-1681978224049.png


Built a scratch playbook to use the CF:

phanTom_1-1681978299997.png

 

Then outputted the value to a comment:

phanTom_2-1681978336120.png


Hopefully something in there may help point out the issue.

-- If this solved your issue please mark as a solution for others. Happy SOARing --

View solution in original post

Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎04-20-2023 05:59 AM

@nongingerale yeah the Code Blocks have never been able to have nested JSON understood downstream. Only the new Custom Functions can as it can be a way to get around the limit of 10 outputs. 

Thanks for marking as a solution! 

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎04-20-2023 01:12 AM

@nongingerale there are a few possibilities why this might not be working. I tested it and it worked as expected for me so here is how i tested it:

Created a CF with a dict output:

phanTom_0-1681978224049.png


Built a scratch playbook to use the CF:

phanTom_1-1681978299997.png

 

Then outputted the value to a comment:

phanTom_2-1681978336120.png


Hopefully something in there may help point out the issue.

-- If this solved your issue please mark as a solution for others. Happy SOARing --

Reply
Solved! Jump to solution

nongingerale
Explorer
‎04-20-2023 05:54 AM

thanks! that worked once i created a custom function (as opposed to passing the dictionary from a custom code block).

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...