potential fix (demisto#37044)

* potential fix

* test

* RN

* update docker + RN

Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.py

@@ -1022,6 +1022,29 @@ def get_drilldown_timeframe(notable_data, raw) -> tuple[str, str]:
     return earliest_offset, latest_offset
 
 
+def escape_invalid_chars_in_drilldown_json(drilldown_search):
+    """ Goes over the drilldown search, and replace the unescaped or invalid chars.
+
+    Args:
+        drilldown_search (str): The drilldown search.
+
+    Returns:
+        str: The escaped drilldown search.
+    """
+    # escape the " of string from the form of 'some_key="value"' which the " char are invalid in json value
+    for unescaped_val in re.findall(r'(?<==)\"[^\"]*\"', drilldown_search):
+        escaped_val = unescaped_val.replace('"', '\\"')
+        drilldown_search = drilldown_search.replace(unescaped_val, escaped_val)
+
+    # replace the new line (\n) with in the IN (...) condition with ','
+    # Splunk replace the value of some multiline fields to the value which contain \n
+    # due to the 'expandtoken' macro
+    for multiline_val in re.findall(r'(?<=in|IN)\s*\([^\)]*\n[^\)]*\)', drilldown_search):
+        csv_val = multiline_val.replace('\n', ',')
+        drilldown_search = drilldown_search.replace(multiline_val, csv_val)
+    return drilldown_search
+
+
 def parse_drilldown_searches(drilldown_searches: list) -> list[dict]:
     """ Goes over the drilldown searches list, parses each drilldown search and converts it to a python dictionary.
 
@@ -1037,6 +1060,7 @@ def parse_drilldown_searches(drilldown_searches: list) -> list[dict]:
     for drilldown_search in drilldown_searches:
         try:
             # drilldown_search may be a json list/dict represented as string
+            drilldown_search = escape_invalid_chars_in_drilldown_json(drilldown_search)
             search = json.loads(drilldown_search)
             if isinstance(search, list):
                 searches.extend(search)

Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml

@@ -673,7 +673,7 @@ script:
     - contextPath: Splunk.UserMapping.SplunkUser
       description: Splunk user mapping.
       type: String
-  dockerimage: demisto/splunksdk-py3:1.0.0.108075
+  dockerimage: demisto/splunksdk-py3:1.0.0.115556
   isfetch: true
   ismappable: true
   isremotesyncin: true

Packs/SplunkPy/Integrations/SplunkPy/SplunkPy_test.py

@@ -2788,3 +2788,30 @@ def test_get_drilldown_searches(drilldown_data, expected):
     """
 
     assert splunk.get_drilldown_searches(drilldown_data) == expected
+
+
+@pytest.mark.parametrize('drilldown_search, expected_res',
+                         [('{"name":"test", "query":"|key="the value""}', 'key="the value"'),
+                          ('{"name":"test", "query":"|key in (line_1\nline_2)"}', 'key in (line_1,line_2)'),
+                          ('{"name":"test", "query":"search a=$a|s$ c=$c$ suffix"}', 'search a=$a|s$ c=$c$ suffix')])
+def test_escape_invalid_chars_in_drilldown_json(drilldown_search, expected_res):
+    """
+    Scenario: When extracting the drilldown search query which are a json string,
+    we should escape unescaped JSON special characters.
+
+    Given:
+    - A raw search query with text like 'key="a value"'.
+    - A raw search query with text like where 'key in (a\nb)' which it should be 'key in (a,b)'.
+    - A raw search query with normal json string, should not be changed by this function.
+
+    When:
+    - escape_invalid_chars_in_drilldown_json is called
+
+    Then:
+    - Return the expected result
+    """
+    import json
+
+    res = splunk.escape_invalid_chars_in_drilldown_json(drilldown_search)
+
+    assert expected_res in json.loads(res)['query']

Packs/SplunkPy/ReleaseNotes/3_1_41.md

@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### SplunkPy
+
+- Fixed an issue where drilldown enrichment failed due to use of JSON special characters in the query.
+- Updated the Docker image to: *demisto/splunksdk-py3:1.0.0.115556*.

Packs/SplunkPy/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Splunk",
     "description": "Run queries on Splunk servers.",
     "support": "xsoar",
-    "currentVersion": "3.1.40",
+    "currentVersion": "3.1.41",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",