SplunkPy: fix bug in drilldown enrichemnt (#35368)

* fix + RN * fix pre commit * Apply suggestions from code review Co-authored-by: Shachar Kidor <[email protected]> --------- Co-authored-by: Shachar Kidor <[email protected]>
demisto · Jul 15, 2024 · 49ed605 · 49ed605
1 parent 3bb8d4e
commit 49ed605
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 8 deletions.
diff --git a/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.py b/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.py
@@ -1036,15 +1036,19 @@ def parse_drilldown_searches(drilldown_searches: list) -> list[dict]:
         drilldown_searches (list): The list of the drilldown searches.
 
     Returns:
-        list[str]: A list of the drilldown searches dictionaries.
+        list[dict]: A list of the drilldown searches dictionaries.
     """
     demisto.debug("There are multiple drilldown searches to enrich, parsing each drilldown search object")
     searches = []
 
     for drilldown_search in drilldown_searches:
         try:
+            # drilldown_search may be a json list/dict represented as string
             search = json.loads(drilldown_search)
-            searches.append(search)
+            if isinstance(search, list):
+                searches.extend(search)
+            else:
+                searches.append(search)
         except json.JSONDecodeError as e:
             demisto.error(f"Caught an exception while parsing a drilldown search object."
                           f"Drilldown search is: {drilldown_search}, Original Error is: {str(e)}")
@@ -1074,7 +1078,7 @@ def get_drilldown_searches(notable_data):
             # The drilldown_searches are a list of searches data stored as json strings:
             return parse_drilldown_searches(drilldown_search)
         else:
-            # The drilldown_searches are a dict of search data stored as json string.
+            # The drilldown_searches are a dict/list of the search data in a JSON string representation.
             return parse_drilldown_searches([drilldown_search])
     return []
 

diff --git a/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml b/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml
@@ -673,7 +673,7 @@ script:
     - contextPath: Splunk.UserMapping.SplunkUser
       description: Splunk user mapping.
       type: String
-  dockerimage: demisto/splunksdk-py3:1.0.0.100380
+  dockerimage: demisto/splunksdk-py3:1.0.0.103333
   isfetch: true
   ismappable: true
   isremotesyncin: true

diff --git a/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy_test.py b/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy_test.py
@@ -2679,17 +2679,23 @@ def test_single_drilldown_searches(mocker):
     [({'drilldown_search': 'test'}, ['test']),
      ({'drilldown_searches': '{"search_1":"test_1"}'}, [{'search_1': 'test_1'}]),
      ({'drilldown_searches': ['{"search_1":"test_1"}', '{"search_2":"test_2"}']},
+      [{'search_1': 'test_1'}, {'search_2': 'test_2'}]),
+     ({'drilldown_searches': '[{"search_1":"test_1"}]'},
+      [{'search_1': 'test_1'}]),
+     ({'drilldown_searches': '[{"search_1":"test_1"}, {"search_2":"test_2"}]'},
       [{'search_1': 'test_1'}, {'search_2': 'test_2'}])
      ]
 )
 def test_get_drilldown_searches(drilldown_data, expected):
     """
     Given:  -
         1. A notable data with a single 'old' (string value in the 'drilldown_search' key) drilldown enrichment data .
-        4. A notable data with a single drilldown enrichments as json string in the 'new' key (drilldown_searches).
-        5. A notable data with multiple drilldown enrichments as json string in the 'new' key (drilldown_searches).
+        2. A notable data with a single drilldown enrichments as json string in the 'new' key (drilldown_searches).
+        3. A notable data with multiple drilldown enrichments as json string in the 'new' key (drilldown_searches).
+        4. A notable data with a single drilldown enrichments as json list string in the 'new' key (drilldown_searches).
+        5. A notable data with a multiple drilldown enrichments as json list string in the 'new' key (drilldown_searches).
     When:   - call to get_drilldown_searches.
-    Then:   - validate the result are as expectedץ
+    Then:   - validate the result are as expected.
     """
 
     assert splunk.get_drilldown_searches(drilldown_data) == expected
diff --git a/Packs/SplunkPy/ReleaseNotes/3_1_33.md b/Packs/SplunkPy/ReleaseNotes/3_1_33.md
@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### SplunkPy
+
+- Fixed an issue where the drilldown enrichment of a single drilldown search has stopped working.
+- Updated the Docker image to: *demisto/splunksdk-py3:1.0.0.103333*.
diff --git a/Packs/SplunkPy/pack_metadata.json b/Packs/SplunkPy/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Splunk",
     "description": "Run queries on Splunk servers.",
     "support": "xsoar",
-    "currentVersion": "3.1.32",
+    "currentVersion": "3.1.33",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",