Splunk SOAR
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I pass a dictionary into a Format Code Block - error in expanding

nongingerale
Explorer
‎04-19-2023 07:22 PM

Hello - I'm trying to pass a dictionary into a format code block:

for example:
my_dict = {"hello":"world", "foo":"bar"}

and in the format code block i have:

Contents of dictionary:
{0}

where 0 is mycodeblockname:custom_function:my_dict.hello

and I receive a "error in expanding mycodeblockname:custom_function:my_dict.hello" message. I also tried using :, 0.hello, etc and it hasnt worked. Any suggestions are appreciated. i know that if I pass a dictionary or list from an action block then this works but a custom function doesnt work from what i can see

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎04-20-2023 01:12 AM

@nongingerale there are a few possibilities why this might not be working. I tested it and it worked as expected for me so here is how i tested it:

Created a CF with a dict output:

phanTom_0-1681978224049.png


Built a scratch playbook to use the CF:

phanTom_1-1681978299997.png

 

Then outputted the value to a comment:

phanTom_2-1681978336120.png


Hopefully something in there may help point out the issue.

-- If this solved your issue please mark as a solution for others. Happy SOARing --

View solution in original post

Reply
Solved! Jump to solution

phanTom
SplunkTrust
SplunkTrust
‎04-20-2023 05:59 AM

@nongingerale yeah the Code Blocks have never been able to have nested JSON understood downstream. Only the new Custom Functions can as it can be a way to get around the limit of 10 outputs. 

Thanks for marking as a solution! 

0 Karma
Reply
Solved! Jump to solution
Solution

phanTom
SplunkTrust
SplunkTrust
‎04-20-2023 01:12 AM

@nongingerale there are a few possibilities why this might not be working. I tested it and it worked as expected for me so here is how i tested it:

Created a CF with a dict output:

phanTom_0-1681978224049.png


Built a scratch playbook to use the CF:

phanTom_1-1681978299997.png

 

Then outputted the value to a comment:

phanTom_2-1681978336120.png


Hopefully something in there may help point out the issue.

-- If this solved your issue please mark as a solution for others. Happy SOARing --

Reply
Solved! Jump to solution

nongingerale
Explorer
‎04-20-2023 05:54 AM

thanks! that worked once i created a custom function (as opposed to passing the dictionary from a custom code block).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...