[BUG] Discrepancy for parameters with JSON values

[AndreiBanaru]

Describe the bug

1. For bug reproduction, one needs to open any TTP correlation search type, via Content Management in ES.
2. We hit the Save button (but we don't make any changes).
3. We check DA-ESS-ContentUpdate/local/savedsearches.conf and we notice these parameters have appeared for the search we saved:
   • action.correlationsearch.annotations
   • action.notable.param.drilldown_searches
   • action.risk.param._risk

From what it appears, contentctl uses the built-in tojson jinja2 filter and adds 1 whitespace, while the ES Content Management adds none.

Can we have the behaviour aligned in any way?

Expected behavior

As I haven't made any changes to the parameters, I find the way ES reads those JSONized parameters and sets them in local/savedsearches.conf an issue, as it locks those paramters in place, so any further updates in default/savedsearches.conf will not be taken into account.

Screenshots

App Version:

• ESCU: 5.16.0
• SplunkEnterpriseSecuritySuite: 7.3.4

Additional context

Splunk Support Ticket: 3894188

[nasbench]

cc @pyth0n1c

[pyth0n1c]

Very specifically, I believe this is the line that @AndreiBanaru is referencing:
https://github.com/splunk/contentctl/blob/0c8fa2647245e150b4e86dd8be4bcaf8d2e2eb6c/contentctl/output/templates/savedsearches_detections.j2#L40

As far as I can tell, the json.dumps(dict_object, separators):
https://docs.python.org/3/library/json.html#json.dump (json.dump arguments are the same as the json.dumps arguments)

separators ([tuple](https://docs.python.org/3/library/stdtypes.html#tuple) | None) – 
A two-tuple: (item_separator,key_separator). 
If None (the default), separators defaults to (', ', ': ') if indent is None, and (',', ': ') otherwise. 
For the most compact JSON, specify (',', ':') to eliminate whitespace.

allows you to specify how keys and items should be separated,
This means we could use json.dumps(dict_object, separators=(', ', ': ')) to get the desired behavior (if we were using json.dumps)

However, the Jinja tojson filter does NOT expose that as an argument:
https://jinja.palletsprojects.com/en/stable/templates/#jinja-filters.tojson

My guess is that we will have to define a new filter, something along the lines of tojson_no_whitespace and use that, rather than tojson to get the consistent behavior.