[Marketplace Contribution] Splunk - Content Pack Update (#41418)

content-bot · xsoar-bot · merit-maita · web-flow · commit 69df8fddc843 · 2025-09-27T21:22:25.000+03:00
* [Marketplace Contribution] Splunk - Content Pack Update (#41374) * "contribution update to pack 'Splunk'" * Update Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml --------- Co-authored-by: merit-maita <49760643+merit-maita@users.noreply.github.com> * edit * edit * edit * edit --------- Co-authored-by: xsoar-bot <67315154+xsoar-bot@users.noreply.github.com> Co-authored-by: merit-maita <49760643+merit-maita@users.noreply.github.com> Co-authored-by: merit-maita <meretmaayta@gmail.com>
diff --git a/Packs/SplunkPy/Integrations/SplunkPy/README.md b/Packs/SplunkPy/Integrations/SplunkPy/README.md
@@ -128,13 +128,13 @@ Configured by the instance configuration fetch_limit (behind the scenes an query
 | The app context of the namespace |  | False |
 | HEC Token (HTTP Event Collector) |  | False |
 | HEC BASE URL (e.g: https://localhost:8088 or https://example.splunkcloud.com/). |  | False |
-| Enrichment Types | Enrichment types to enrich each fetched notable. If none are selected, the integration will fetch notables as usual \(without enrichment\). Multiple drilldown searches enrichment is supported from Enterprise Security v7.2.0. For more info about enrichment types see [Enriching Notable Events](#enriching-notable-events). | False |
+| Enrichment Types | Enrichment types to enrich each fetched notable. If none are selected, the integration will fetch notables as usual \(without enrichment\). Multiple drilldown searches enrichment is supported from Enterprise Security v7.2.0. For more info about enrichment types see the integration additional info. | False |
 | Asset enrichment lookup tables | CSV of the Splunk lookup tables from which to take the Asset enrichment data. | False |
 | Identity enrichment lookup tables | CSV of the Splunk lookup tables from which to take the Identity enrichment data. | False |
 | Enrichment Timeout (Minutes) | When the selected timeout was reached, notable events that were not enriched will be saved without the enrichment. | False |
 | Number of Events Per Enrichment Type | The limit of how many events to retrieve per each one of the enrichment types \(Drilldown, Asset, and Identity\). In a case of multiple drilldown enrichments the limit will apply for each drilldown search query. To retrieve all events, enter "0" \(not recommended\). | False |
 | Advanced: Extensive logging (for debugging purposes). Do not use this option unless advised otherwise. |  | False |
-| Advanced: Time type to use when fetching events | Defines which timestamp will be used to filter the events:<br/>- creation time: Filters based on when the event actually occurred.<br/>- index time \(Beta\): \*Beta feature\* – Filters based on when the event was ingested into Splunk.  <br/>  This option is still in testing and may not behave as expected in all scenarios.  <br/>  When using this mode, the parameter "Fetch backwards window for the events occurrence time \(minutes\)" should be set to \`0\`\`, as indexing time ensures there are no delay-based gaps.<br/>  The default is "creation time".<br/> |  |
+| Advanced: Time type to use when fetching events | Defines which timestamp will be used to filter the events:<br/>- creation time: Filters based on when the event actually occurred.<br/>- index time \(Beta\): \*Beta feature\* – Filters based on when the event was ingested into Splunk.  <br/>  This option is still in testing and may not behave as expected in all scenarios.  <br/>  When using this mode, the parameter "Fetch backwards window for the events occurrence time \(minutes\)" should be set to \`0\`\`, as indexing time ensures there are no delay-based gaps.<br/>  The default is "creation time".<br/> | False |
 | Advanced: Fetch backwards window for the events occurrence time (minutes) | The fetch time range will be at least the size specified here. This will support events that have a gap between their occurrence time and their index time in Splunk. To decide how long the backwards window should be, you need to determine the average time between them both in your Splunk environment. | False |
 | Advanced: Unique ID fields | A comma-separated list of fields, which together are a unique identifier for the events to fetch in order to avoid fetching duplicates incidents. | False |
 | Enable user mapping | Whether to enable the user mapping between Cortex XSOAR and Splunk, or not. For more information see https://xsoar.pan.dev/docs/reference/integrations/splunk-py\#configure-user-mapping-between-splunk-and-cortex-xsoar | False |
@@ -628,47 +628,31 @@ Parses the raw part of the event.
 ### splunk-submit-event-hec
 
 ***
-Sends events Splunk. if `batch_event_data` or `entry_id` arguments are provided then all arguments related to a single event are ignored.
+Sends events to an HTTP Event Collector using the Splunk platform JSON event protocol.
 
-##### Base Command
+#### Base Command
 
 `splunk-submit-event-hec`
 
-##### Input
+#### Input
 
 | **Argument Name** | **Description** | **Required** |
 | --- | --- | --- |
-| event | The event payload key-value pair. An example string: "event": "Access log test message.". | Optional |
+| event | Event payload key-value pair.<br/>String example: "event": "Access log test message". | Optional |
 | fields | Fields for indexing that do not occur in the event payload itself. Accepts multiple, comma-separated, fields. | Optional |
 | index | The index name. | Optional |
 | host | The hostname. | Optional |
-| source_type | The user-defined event source type. | Optional |
-| source | The user-defined event source. | Optional |
-| time | The epoch-formatted time. | Optional |
-| batch_event_data | A  batch of events to send to Splunk. For example, `{"event": "something happened at 14/10/2024 12:29", "fields": {"severity": "INFO", "category": "test2, test2"}, "index": "index0","sourcetype": "sourcetype0","source": "/example/something" } {"event": "something happened at 14/10/2024 13:29", "index": "index1", "sourcetype": "sourcetype1","source": "/example/something", "fields":{ "fields" : "severity: INFO, category: test2, test2"}}`. **If provided, the arguments related to a single event and the `entry_id` argument are ignored.** | Optional |
-| batch_event_data | A  batch of events to send to splunk. For example, `{"event": "something happened at 14/10/2024 12:29", "fields": {"severity": "INFO", "category": "test2, test2"}, "index": "index0","sourcetype": "sourcetype0","source": "/example/something" } {"event": "something happened at 14/10/2024 13:29", "index": "index1", "sourcetype": "sourcetype1","source": "/exeample/something", "fields":{ "fields" : "severity: INFO, category: test2, test2"}}`. **If provided, the arguments related to a single event and the `entry_id` argument are ignored.** | Optional |
-| entry_id | The entry id in Cortex XSOAR of the file containing a batch of events. Content of the file should be valid batch event's data, as it would be provided to the `batch_event_data`. **If provided, the arguments related to a single event are ignored.** | Optional |
+| source_type | User-defined event source type. | Optional |
+| source | User-defined event source. | Optional |
+| time | Epoch-formatted time. | Optional |
+| request_channel | A channel identifier (ID) where to send the request, must be a Globally Unique Identifier (GUID). If the indexer acknowledgment is turned on, a channel is required. | Optional |
+| batch_event_data | A  batch of events to send to Splunk. For example, `{"event": "something happened at 14/10/2024 12:29", "fields": {"severity": "INFO", "category": "test2, test2"}, "index": "index0","sourcetype": "sourcetype0","source": "/example/something" } {"event": "something happened at 14/10/2024 13:29", "index": "index1", "sourcetype": "sourcetype1","source": "/example/something", "fields":{ "fields" : "severity: INFO, category: test2, test2"}}`. If provided all arguments except of `request_channel` are ignored. | Optional |
+| entry_id | The entry ID in Cortex XSOAR of the file containing a batch of events. If provided, the arguments related to a single event are ignored. | Optional |
 
-##### Batched events description
-
-This command allows sending events to Splunk, either as a single event or a batch of multiple events.
-To send a single event: Use the `event`, `fields`, `host`, `index`, `source`, `source_type`, and `time` arguments.
-To send a batch of events, there are two options, either use the batch_event_data argument or use the entry_id argument (for a file uploaded to Cortex XSOAR).
-Batch format requirements: The batch must be a single string containing valid dictionaries, each representing an event. Events should not be separated by commas. Each dictionary should include all necessary fields for an event. For example: `{"event": "event occurred at 14/10/2024 12:29", "fields": {"severity": "INFO", "category": "test1"}, "index": "index0", "sourcetype": "sourcetype0", "source": "/path/event1"} {"event": "event occurred at 14/10/2024 13:29", "index": "index1", "sourcetype": "sourcetype1", "source": "/path/event2", "fields": {"severity": "INFO", "category": "test2"}}`.
-This formatted string can be passed directly via `batch_event_data`, or, if saved in a file, the file can be uploaded to Cortex XSOAR, and the `entry_id` (e.g., ${File.[4].EntryID}) should be provided.
-
-##### Context Output
+#### Context Output
 
 There is no context output for this command.
 
-##### Command Example
-
-```!splunk-submit-event-hec event="something happened" fields="severity: INFO, category: test, test1" source_type=access source="/var/log/access.log"```
-
-##### Human Readable Output
-
-The event was sent successfully to Splunk.
-
 ### splunk-job-status
 
 ***
@@ -1313,3 +1297,23 @@ Under **Used for communication between Cortex XSOAR and customer resources**. Ch
 If you encounter fetch issues and you have enriching enabled, the issue may be the result of pressing the `Reset the "last run" timestamp` button.  
 Note that the way to reset the mechanism is to run the `splunk-reset-enriching-fetch-mechanism` command.  
 See [here](#resetting-the-enriching-fetch-mechanism).
+
+### splunk-job-share
+
+***
+Change job settings to share its results to all Splunk users, and change its TTL.
+
+#### Base Command
+
+`splunk-job-share`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| sid | Comma-separated list of job IDs to share. | Required |
+| ttl | Time in seconds for the job's expiry time. Default is 1800. | Optional |
+
+#### Context Output
+
+There is no context output for this command.
diff --git a/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.py b/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.py
@@ -1,3 +1,5 @@
+import demistomock as demisto  # noqa: F401
+from CommonServerPython import *  # noqa: F401
 import hashlib
 import io
 import json
@@ -7,10 +9,10 @@
 
 import dateparser
 from collections import defaultdict
-import demistomock as demisto  # noqa: F401
+
 import pytz
 import requests
-from CommonServerPython import *  # noqa: F401
+
 from packaging.version import Version  # noqa: F401
 from splunklib import client, results
 from splunklib.binding import AuthenticationError, HTTPError, namespace
@@ -3589,6 +3591,60 @@ def splunk_job_status(service: client.Service, args: dict) -> list[CommandResult
     return job_results
 
 
+def splunk_job_share(service: client.Service, args: dict) -> list[CommandResults]:  # pragma: no cover
+    sids = argToList(args.get("sid"))
+    try:
+        ttl = int(args.get("ttl", 1800))
+    except ValueError:
+        return_error(f"Input error: Invalid TTL provided, '{args.get('ttl')}'. Must be a valid integer.")
+
+    job_results = []
+    for sid in sids:
+        try:
+            job = service.job(sid)
+        except HTTPError as error:
+            if str(error) == "HTTP 404 Not Found -- Unknown sid.":
+                job_results.append(CommandResults(readable_output=f"Not found job for SID: {sid}"))
+            else:
+                job_results.append(
+                    CommandResults(readable_output=f"Querying splunk for SID: {sid} resulted in the following error {str(error)}")
+                )
+        else:
+            try:
+                ttl_results = True
+                job.set_ttl(ttl)  # extend time-to-live for results
+            except HTTPError as error:
+                job_results.append(
+                    CommandResults(
+                        readable_output=f"Error increasing TTL for SID: {sid} resulted in the following error {str(error)}"
+                    )
+                )
+                ttl_results = False
+            try:
+                share_results = True
+                endpoint = f"search/jobs/{sid}/acl"
+                service.post(endpoint, **{"sharing": "global", "perms.read": "*"})
+            except HTTPError as error:
+                job_results.append(
+                    CommandResults(
+                        readable_output=f"Error changing permissions for SID: {sid} resulted in the following error {str(error)}"
+                    )
+                )
+                share_results = False
+
+            entry_context = {"SID": sid, "TTL updated": str(ttl_results), "Sharing updated": str(share_results)}
+            human_readable = tableToMarkdown("Splunk Job Updates", entry_context)
+            job_results.append(
+                CommandResults(
+                    outputs=entry_context,
+                    readable_output=human_readable,
+                    outputs_prefix="Splunk.JobUpdates",
+                    outputs_key_field="SID",
+                )
+            )
+    return job_results
+
+
 def splunk_parse_raw_command(args: dict):
     raw = args.get("raw", "")
     rawDict = rawToDict(raw)
@@ -3990,6 +4046,8 @@ def main():  # pragma: no cover
         splunk_submit_event_hec_command(params, service, args)
     elif command == "splunk-job-status":
         return_results(splunk_job_status(service, args))
+    elif command == "splunk-job-share":
+        return_results(splunk_job_share(service, args))
     elif command.startswith("splunk-kv-") and service is not None:
         app = args.get("app_name", "search")
         service.namespace = namespace(app=app, owner="nobody", sharing="app")
diff --git a/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml b/Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml
@@ -181,6 +181,7 @@ configuration:
   displaypassword: HEC Token (HTTP Event Collector)
   hiddenusername: true
   required: false
+  display: ''
 - display: 'HEC Token (HTTP Event Collector)'
   name: hec_token
   type: 4
@@ -257,6 +258,7 @@ configuration:
       The default is "creation time".
   section: Collect
   advanced: true
+  required: false
 - defaultvalue: '15'
   display: 'Advanced: Fetch backwards window for the events occurrence time (minutes)'
   name: occurrence_look_behind
@@ -476,7 +478,6 @@ script:
         Event payload key-value pair.
         String example: "event": "Access log test message".
       name: event
-      required: false
     - description: Fields for indexing that do not occur in the event payload itself. Accepts multiple, comma-separated, fields.
       name: fields
     - description: The index name.
@@ -700,14 +701,25 @@ script:
     - contextPath: Splunk.UserMapping.SplunkUser
       description: Splunk user mapping.
       type: String
-  dockerimage: demisto/splunksdk-py3:1.0.0.4418698
+  - arguments:
+    - description: Comma-separated list of job IDs to share.
+      isArray: true
+      name: sid
+      required: true
+    - defaultValue: '1800'
+      description: Time in seconds for the job's expiry time.
+      name: ttl
+    description: Change job settings to share its results to all Splunk users, and change its TTL.
+    name: splunk-job-share
+  dockerimage: demisto/splunksdk-py3:1.0.0.4887903
   isfetch: true
   ismappable: true
   isremotesyncin: true
   isremotesyncout: true
   script: ''
   subtype: python3
   type: python
+  runonce: false
 tests:
 - SplunkPySearch_Test_default_handler
 - SplunkPy-Test-V2_default_handler
diff --git a/Packs/SplunkPy/ReleaseNotes/3_3_1.md b/Packs/SplunkPy/ReleaseNotes/3_3_1.md
@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### SplunkPy
+
+- Added support for **splunk-job-share** command that change job settings to share its results to all splunk users, and change its ttl.
+- Updated the Docker image to: *demisto/splunksdk-py3:1.0.0.4887903*.
diff --git a/Packs/SplunkPy/pack_metadata.json b/Packs/SplunkPy/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Splunk",
     "description": "Run queries on Splunk servers.",
     "support": "xsoar",
-    "currentVersion": "3.3.0",
+    "currentVersion": "3.3.1",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
