SplunkPy: documentation updates (#33565)

* update doc

* RN

* Apply suggestions from code review

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

---------

Co-authored-by: ShirleyDenkberg <62508050+ShirleyDenkberg@users.noreply.github.com>

Packs/SplunkPy/Integrations/SplunkPy/README.md

@@ -22,14 +22,14 @@ This integration was integrated and tested with Splunk Enterprise v9.0.4 and Ent
     | Host - IP (x.x.x.x) |  | True |
     | Username |  | True |
     | Password |  | True |
-    | Port |  | True |
+    | Port | The port in Splunk server which is open to the REST API calls. | True |
     | Fetch events query | The Splunk search query by which to fetch events. The default query fetches ES notable events. You can edit this query to fetch other types of events. Note, that to fetch ES notable events, make sure to include the \\\`notable\\\` macro in your query. | False |
     | Fetch Limit (Max.- 200, Recommended less than 50) |  | False |
     | Fetch incidents |  | False |
     | Incident type |  | False |
-    | Use Splunk Clock Time For Fetch |  | False |
-    | Parse Raw Part of Notable Events |  | False |
-    | Replace with Underscore in Incident Fields |  | False |
+    | Use Splunk Clock Time For Fetch | Whether to use the Splunk clock time from the Splunk server for fetch, or not. | False |
+    | Parse Raw Part of Notable Events | Whether to parse the raw part of the Notables, or not. | False |
+    | Replace with Underscore in Incident Fields | Whether to replace special characters to underscore when parsing the raw data of the Notables, or not. | False |
     | Timezone of the Splunk server, in minutes. For example, if GMT is gmt +3, set timezone to +180. For UTC, set the timezone to 0. This is relevant only for fetching and mirroring notable events. It must be specified when mirroring is enabled. |  | False |
     | First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year) | The amount of time to go back when performing the first fetch, or when creating a mapping using the Select Schema option. | False |
     | Extract Fields - CSV fields that will be parsed out of _raw notable events |  | False |
@@ -54,7 +54,7 @@ This integration was integrated and tested with Splunk Enterprise v9.0.4 and Ent
     | Advanced: Extensive logging (for debugging purposes). Do not use this option unless advised otherwise. |  | False |
     | Advanced: Fetch backwards window for the events occurrence time (minutes) | The fetch time range will be at least the size specified here. This will support events that have a gap between their occurrence time and their index time in Splunk. To decide how long the backwards window should be, you need to determine the average time between them both in your Splunk environment. | False |
     | Advanced: Unique ID fields | A comma-separated list of fields, which together are a unique identifier for the events to fetch in order to avoid fetching duplicates incidents. | False |
-    | Enable user mapping |  | False |
+    | Enable user mapping | Whether to enable the user mapping between Cortex XSOAR and Splunk, or not. For more information see https://xsoar.pan.dev/docs/reference/integrations/splunk-py\#configure-user-mapping-between-splunk-and-cortex-xsoar | False |
     | Users Lookup table name | The name of the lookup table in Splunk, containing the username's mapping data. | False |
     | XSOAR user key | The name of the lookup column containing the Cortex XSOAR username. | False |
     | SPLUNK user key | The name of the lookup table containing the Splunk username. | False |

Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml

@@ -22,6 +22,7 @@ configuration:
   required: true
   type: 0
   section: Connect
+  additionalinfo: The port in Splunk server which is open to the REST API calls.
 - additionalinfo: The Splunk search query by which to fetch events. The default query fetches ES notable events. You can edit this query to fetch other types of events. Note, that to fetch ES notable events, make sure to include the \`notable\` macro in your query.
   defaultvalue: search `notable` | eval rule_name=if(isnull(rule_name),source,rule_name) | eval rule_title=if(isnull(rule_title),rule_name,rule_title) | `get_urgency` | `risk_correlation` | eval rule_description=if(isnull(rule_description),source,rule_description) | eval security_domain=if(isnull(security_domain),source,security_domain) | expandtoken
   display: Fetch events query
@@ -51,20 +52,23 @@ configuration:
   section: Collect
   advanced: true
   required: false
+  additionalinfo: Whether to use the Splunk clock time from the Splunk server for fetch, or not.
 - defaultvalue: 'false'
   display: Parse Raw Part of Notable Events
   name: parseNotableEventsRaw
   type: 8
   section: Collect
   advanced: true
   required: false
+  additionalinfo: Whether to parse the raw part of the Notables, or not.
 - defaultvalue: 'false'
   display: Replace with Underscore in Incident Fields
   name: replaceKeys
   type: 8
   section: Collect
   advanced: true
   required: false
+  additionalinfo: Whether to replace special characters to underscore when parsing the raw data of the Notables, or not.
 - display: Timezone of the Splunk server, in minutes. For example, if GMT is gmt +3, set timezone to +180. For UTC, set the timezone to 0. This is relevant only for fetching and mirroring notable events. It must be specified when mirroring is enabled.
   name: timezone
   type: 0
@@ -255,6 +259,7 @@ configuration:
   section: Collect
   advanced: true
   required: false
+  additionalinfo: Whether to enable the user mapping between Cortex XSOAR and Splunk, or not. For more information see https://xsoar.pan.dev/docs/reference/integrations/splunk-py#configure-user-mapping-between-splunk-and-cortex-xsoar
 - defaultvalue: 'splunk_xsoar_users'
   display: Users Lookup table name
   name: user_map_lookup_name
@@ -668,7 +673,7 @@ script:
     - contextPath: Splunk.UserMapping.SplunkUser
       description: Splunk user mapping.
       type: String
-  dockerimage: demisto/splunksdk-py3:1.0.0.89431
+  dockerimage: demisto/splunksdk-py3:1.0.0.91477
   isfetch: true
   ismappable: true
   isremotesyncin: true

Packs/SplunkPy/ReleaseNotes/3_1_25.md

@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### SplunkPy
+
+- General documentation improvements.
+- Updated the Docker image to: *demisto/splunksdk-py3:1.0.0.91477*.

Packs/SplunkPy/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Splunk",
     "description": "Run queries on Splunk servers.",
     "support": "xsoar",
-    "currentVersion": "3.1.24",
+    "currentVersion": "3.1.25",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",