From bf3d2dfd24b5ee662bcb0f06fa81e312e382ed2d Mon Sep 17 00:00:00 2001
From: dhwanis-crest <dhwanis@splunk.com>
Date: Wed, 17 Jan 2024 18:32:56 +0530
Subject: [PATCH] review changes

---
 manual_readme_content.md |  4 ++--
 splunk.json              |  4 ++--
 splunk_connector.py      | 17 ++++++-----------
 3 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/manual_readme_content.md b/manual_readme_content.md
index a6d101e..419dde5 100644
--- a/manual_readme_content.md
+++ b/manual_readme_content.md
@@ -42,9 +42,9 @@ Please check the permissions for the state file as mentioned below.
 
 #### State File Permissions
 
--   File Rights: rw-rw-r-- (664) (The splunk SOAR user should have read and write access for the state
+-   File Rights: rw-rw-r-- (664) (The Splunk SOAR user should have read and write access for the state
     file)
--   File Owner: appropriate splunk SOAR user
+-   File Owner: appropriate Splunk SOAR user
 
 ## Required Permissions for Post Data Action
 The endpoint used by the post data action is not supported on Splunk Cloud Platform. Hence, the following steps are not applicable for Splunk Cloud Platform.
diff --git a/splunk.json b/splunk.json
index cf44e9c..f4f19ed 100644
--- a/splunk.json
+++ b/splunk.json
@@ -592,7 +592,7 @@
                     "data_path": "action_result.data.*._key",
                     "data_type": "string",
                     "example_values": [
-                        "1659398400|_audit"
+                        "user"
                     ]
                 },
                 {
@@ -1298,4 +1298,4 @@
             }
         ]
     }
-}
\ No newline at end of file
+}
diff --git a/splunk_connector.py b/splunk_connector.py
index 22551af..bd0bc0e 100644
--- a/splunk_connector.py
+++ b/splunk_connector.py
@@ -51,7 +51,6 @@
 from past.utils import old_div  # noqa
 from phantom.base_connector import BaseConnector
 from phantom.vault import Vault
-from phantom_common import paths
 from pytz import timezone
 from splunklib.binding import HTTPError
 
@@ -139,7 +138,7 @@ def initialize(self):
             self._state = self.load_state()
             if self._state is None:
                 self.debug_print("Please check the owner, owner group, and the permissions of the state file")
-                self.debug_print("The splunk phantom user should have correct access rights and ownership for the \
+                self.debug_print("The Splunk SOAR user should have correct access rights and ownership for the \
                     corresponding state file (refer readme file for more information)")
                 return phantom.APP_ERROR
 
@@ -391,7 +390,7 @@ def _process_response(self, r, action_result):
             return self._process_json_response(r, action_result)
 
         # Process an HTML response, Do this no matter what the api talks.
-        # There is a high chance of a PROXY in between phantom and the rest of
+        # There is a high chance of a PROXY in between Splunk SOAR and the rest of
         # world, in case of errors, PROXY's return HTML, this function parses
         # the error and adds it to the action_result.
         if 'html' in r.headers.get('Content-Type', ''):
@@ -1024,7 +1023,7 @@ def _get_event_start(self, start_time):
             return None
 
         try:
-            # convert to Phantom timestamp format
+            # convert to Splunk SOAR timestamp format
             # '%Y-%m-%dT%H:%M:%S.%fZ
             datetime_obj = dateutil_parse(start_time)
             return datetime_obj.astimezone(pytz.utc).strftime('%Y-%m-%dT%H:%M:%S.%fZ')
@@ -1347,18 +1346,14 @@ def _run_query(self, search_query, action_result, attach_result=False, kwargs_cr
 
     def add_json_result(self, action_result, data):
 
-        if hasattr(Vault, 'get_vault_tmp_dir'):
-            tmp = tempfile.NamedTemporaryFile(dir=Vault.get_vault_tmp_dir(), delete=False)
-        else:
-            vault_tmp = os.path.join(paths.PHANTOM_VAULT, "tmp")
-            tmp = tempfile.NamedTemporaryFile(dir=vault_tmp, delete=False)
+        fd, path = tempfile.mkstemp(dir=Vault.get_vault_tmp_dir(), text=True)
         vault_attach_dict = {}
 
         vault_attach_dict[phantom.APP_JSON_ACTION_NAME] = self.get_action_name()
         vault_attach_dict[phantom.APP_JSON_APP_RUN_ID] = self.get_app_run_id()
 
         try:
-            with open(tmp.name, 'w') as f:
+            with open(path, 'w') as f:
                 json.dump(data, f)
 
         except Exception as e:
@@ -1371,7 +1366,7 @@ def add_json_result(self, action_result, data):
         container_id = self.get_container_id()
 
         try:
-            success, message, _ = soar_vault.vault_add(container_id, tmp.name, 'splunk_run_query_result.json', vault_attach_dict)
+            success, message, _ = soar_vault.vault_add(container_id, path, 'splunk_run_query_result.json', vault_attach_dict)
 
         except Exception as e:
             self._dump_error_log(e)