Splunk SOAR

How do I pass a dictionary into a Format Code Block - error in expanding

nongingerale
Explorer

Hello - I'm trying to pass a dictionary into a format code block:

for example:
my_dict = {"hello":"world", "foo":"bar"}

and in the format code block i have:

Contents of dictionary:
{0}

where 0 is mycodeblockname:custom_function:my_dict.hello

and I receive a "error in expanding mycodeblockname:custom_function:my_dict.hello" message. I also tried using :, 0.hello, etc and it hasnt worked. Any suggestions are appreciated. i know that if I pass a dictionary or list from an action block then this works but a custom function doesnt work from what i can see

Labels (1)
0 Karma
1 Solution

phanTom
SplunkTrust
SplunkTrust

@nongingerale there are a few possibilities why this might not be working. I tested it and it worked as expected for me so here is how i tested it:

Created a CF with a dict output:

phanTom_0-1681978224049.png


Built a scratch playbook to use the CF:

phanTom_1-1681978299997.png

 

Then outputted the value to a comment:

phanTom_2-1681978336120.png


Hopefully something in there may help point out the issue.

-- If this solved your issue please mark as a solution for others. Happy SOARing --

View solution in original post

phanTom
SplunkTrust
SplunkTrust

@nongingerale yeah the Code Blocks have never been able to have nested JSON understood downstream. Only the new Custom Functions can as it can be a way to get around the limit of 10 outputs. 

Thanks for marking as a solution! 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@nongingerale there are a few possibilities why this might not be working. I tested it and it worked as expected for me so here is how i tested it:

Created a CF with a dict output:

phanTom_0-1681978224049.png


Built a scratch playbook to use the CF:

phanTom_1-1681978299997.png

 

Then outputted the value to a comment:

phanTom_2-1681978336120.png


Hopefully something in there may help point out the issue.

-- If this solved your issue please mark as a solution for others. Happy SOARing --

nongingerale
Explorer

thanks! that worked once i created a custom function (as opposed to passing the dictionary from a custom code block).

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...