Describe the bug
- For bug reproduction, one needs to open any TTP correlation search type, via Content Management in ES.
- We hit the Save button (but we don't make any changes).
- We check
DA-ESS-ContentUpdate/local/savedsearches.conf and we notice these parameters have appeared for the search we saved:
- action.correlationsearch.annotations
- action.notable.param.drilldown_searches
- action.risk.param._risk
From what it appears, contentctl uses the built-in tojson jinja2 filter and adds 1 whitespace, while the ES Content Management adds none.
Can we have the behaviour aligned in any way?
Expected behavior
As I haven't made any changes to the parameters, I find the way ES reads those JSONized parameters and sets them in local/savedsearches.conf an issue, as it locks those paramters in place, so any further updates in default/savedsearches.conf will not be taken into account.
Screenshots
App Version:
- ESCU: 5.16.0
- SplunkEnterpriseSecuritySuite: 7.3.4
Additional context
Splunk Support Ticket: 3894188
Describe the bug
DA-ESS-ContentUpdate/local/savedsearches.confand we notice these parameters have appeared for the search we saved:From what it appears, contentctl uses the built-in tojson jinja2 filter and adds 1 whitespace, while the ES Content Management adds none.
Can we have the behaviour aligned in any way?
Expected behavior
As I haven't made any changes to the parameters, I find the way ES reads those JSONized parameters and sets them in
local/savedsearches.confan issue, as it locks those paramters in place, so any further updates indefault/savedsearches.confwill not be taken into account.Screenshots
App Version:
Additional context
Splunk Support Ticket: 3894188