Fix splunk search in incident context

Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.py

@@ -2048,12 +2048,13 @@ def build_search_query(args):
 
 def create_entry_context(args: dict, parsed_search_results, dbot_scores, status_res, job_id):
     ec = {}
+    dbot_ec = {}
     number_of_results = len(parsed_search_results)
 
     if args.get('update_context', "true") == "true":
         ec['Splunk.Result'] = parsed_search_results
         if len(dbot_scores) > 0:
-            ec['DBotScore'] = dbot_scores
+            dbot_ec['DBotScore'] = dbot_scores
         if status_res:
             ec['Splunk.JobStatus(val.SID && val.SID === obj.SID)'] = {
                 **status_res.outputs, 'TotalResults': number_of_results}
@@ -2062,7 +2063,7 @@ def create_entry_context(args: dict, parsed_search_results, dbot_scores, status_
         ec['Splunk.JobStatus(val.SID && val.SID === obj.SID)'] = [{'SID': job_id,
                                                                    'TotalResults': number_of_results,
                                                                    'Status': status}]
-    return ec
+    return ec, dbot_ec
 
 
 def schedule_polling_command(command: str, args: dict, interval_in_secs: int) -> ScheduledCommand:
@@ -2160,7 +2161,7 @@ def parse_batch_of_results(current_batch_of_results, max_results_to_add, app):
     return parsed_batch_results, batch_dbot_scores
 
 
-def splunk_search_command(service: client.Service, args: dict) -> CommandResults:
+def splunk_search_command(service: client.Service, args: dict) -> CommandResults | list[CommandResults]:
     query = build_search_query(args)
     polling = argToBoolean(args.get("polling", False))
     search_kwargs = build_search_kwargs(args, polling)
@@ -2207,14 +2208,20 @@ def splunk_search_command(service: client.Service, args: dict) -> CommandResults
         dbot_scores.extend(batch_dbot_scores)
 
         results_offset += batch_size
-    entry_context = create_entry_context(args, total_parsed_results, dbot_scores, status_cmd_result, str(job_sid))
+    entry_context_splunk_search, entry_context_dbot_score = create_entry_context(
+        args, total_parsed_results, dbot_scores, status_cmd_result, str(job_sid))
     human_readable = build_search_human_readable(args, total_parsed_results, str(job_sid))
-
-    return CommandResults(
-        outputs=entry_context,
+    results = [CommandResults(
+        outputs=entry_context_splunk_search,
         raw_response=total_parsed_results,
         readable_output=human_readable
-    )
+    )]
+    dbot_table_headers = ['Indicator', 'Type', 'Vendor', 'Score', 'isTypedIndicator']
+    if entry_context_dbot_score:
+        results.append(CommandResults(
+            outputs=entry_context_dbot_score,
+            readable_output=tableToMarkdown("DBot Score", entry_context_dbot_score['DBotScore'], headers=dbot_table_headers)))
+    return results
 
 
 def splunk_job_create_command(service: client.Service, args: dict):

Packs/SplunkPy/Integrations/SplunkPy/SplunkPy.yml

@@ -433,7 +433,7 @@ script:
   - arguments:
     - description: |-
         Event payload key-value pair.
-        String example: "event": "Access log test message."
+        String example: "event": "Access log test message".
       name: event
       required: true
     - description: Fields for indexing that do not occur in the event payload itself. Accepts multiple, comma-separated, fields.
@@ -505,7 +505,7 @@ script:
     description: Creates the KV store collection transform.
     name: splunk-kv-store-collection-create-transform
   - arguments:
-    - description: 'The data to add to the KV store collection, according to the collection JSON format, e.g., [{"name": "Splunk HQ", "id": 456, "address": { "street": "340 Brannan Street", "city": "San Francisco", "state": "CA", "zip": "121212"}}, {"name": "Splunk HQ", "id": 123, "address": { "street": "250 Brannan Street", "city": "San Francisco", "state": "CA", "zip": "94107"}}]'
+    - description: 'The data to add to the KV store collection, according to the collection JSON format, e.g., [{"name": "Splunk HQ", "id": 456, "address": { "street": "340 Brannan Street", "city": "San Francisco", "state": "CA", "zip": "121212"}}, {"name": "Splunk HQ", "id": 123, "address": { "street": "250 Brannan Street", "city": "San Francisco", "state": "CA", "zip": "94107"}}].'
       name: kv_store_data
       required: true
     - description: The name of the KV store collection.
@@ -652,7 +652,7 @@ script:
     - contextPath: Splunk.UserMapping.SplunkUser
       description: Splunk user mapping.
       type: String
-  dockerimage: demisto/splunksdk-py3:1.0.0.72507
+  dockerimage: demisto/splunksdk-py3:1.0.0.73687
   isfetch: true
   ismappable: true
   isremotesyncin: true

Packs/SplunkPy/Integrations/SplunkPy/SplunkPy_test.py

@@ -1542,6 +1542,7 @@ def test_splunk_search_command(mocker, polling, status):
 
     mocker.patch.object(ScheduledCommand, 'raise_error_if_not_supported')
     search_result = splunk.splunk_search_command(Service(status), mock_args)
+    search_result = search_result if isinstance(search_result, CommandResults) else search_result[0]
 
     if search_result.scheduled_command:
         assert search_result.outputs['Status'] == status

Packs/SplunkPy/ReleaseNotes/3_1_8.json

@@ -0,0 +1 @@
+{"breakingChanges":true,"breakingChangesNotes":"Changed the result object returned from **splunk-search** command. the result will now be returned as a list of CommandResults."}

Packs/SplunkPy/ReleaseNotes/3_1_8.md

@@ -0,0 +1,7 @@
+
+#### Integrations
+
+##### SplunkPy
+
+- Fixed an issue where **splunk-search** results will sometimes be shared via multiple incidents context.
+- Updated the Docker image to: *demisto/splunksdk-py3:1.0.0.73687*.

Packs/SplunkPy/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Splunk",
     "description": "Run queries on Splunk servers.",
     "support": "xsoar",
-    "currentVersion": "3.1.7",
+    "currentVersion": "3.1.8",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",