Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help with Display Extracted List Items Vertically in Format Block

Sidpet
Loves-to-Learn
‎08-26-2025 10:05 AM

Hi all,

I have a playbook where I extract multiple rule titles from an ES investigation.  Currently, the data shows like this in the results 

Rule Title: 2 items

0: item 1

1: item 2

when I extract it and create a servicenow ticket it shows the items like this ['item 1', 'item 2'].  I want them to be displayed like they show in the results vertically one item below the other and without the brackets. I tried the %% 

{0}

%% but it does not work. any ideas to help resolve this? 

I’m using SOAR version 6.4.x. Any guidance or best practices would be appreciated. still a novice learning the tool.

Thanks!

Labels (2)
Labels
0 Karma
Reply

phanTom
SplunkTrust
SplunkTrust
‎04-01-2026 09:43 AM

@Sidpet 

The create ticket action on the SNOW app takes in a string. Is the input to the Format Block a list of items or just text/string?

What format block datapath are you inputting into the description field for the SNOW action? Don't use the ".*" one as that will imply to the SNOW action input that it's a list. The one without the ".*" end will just dump a text blob built in the Format Block. 

If you need further help if you can share a screenshot of your format block and the input for the SNOW create ticket action we can probably identify where to check next. 

-- If this helped please add karma and if it solved it also mark as a solution for future SOAR knowledge hunters! Happy SOARing --

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...