splunk.es.splunk_finding_info module – Gather information about Splunk Enterprise Security Findings
Note
This module is part of the splunk.es collection (version 5.1.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install splunk.es.
To use it in a playbook, specify: splunk.es.splunk_finding_info.
New in splunk.es 5.1.0
Synopsis
This module allows for querying information about Splunk Enterprise Security Findings.
Use this module to retrieve finding configurations without making changes.
Query by
ref_idto fetch a specific finding. Withoutearliestandlatest.Query by
titleto filter findings by exact title match.Use
earliestandlatestto control the time range of returned findings.By default, if
earliestandlatestare not specified, findings from the last 24 hours are returned.This default time (24 hours) range applies when querying by
titleor all findings (not byref_id).This module uses the httpapi connection plugin and does not require local Splunk SDK.
Note
This module has a corresponding action plugin.
Parameters
Parameter |
Comments |
|---|---|
The app portion of the Splunk API path for the findings endpoint. Override this if your environment uses a different app name. Default: |
|
The namespace portion of the Splunk API path. Override this if your environment uses a different namespace. Default: |
|
The user portion of the Splunk API path. Override this if your environment requires a different user context. Default: |
|
The earliest time for findings to return. All findings returned have a _time greater than or equal to this value. Accepts relative time (e.g. If not provided, defaults to the last 24 hours ( Ignored when querying by Applies when querying by |
|
The latest time for findings to return. All findings returned have a _time less than or equal to this value. Accepts relative time (e.g. If not provided, defaults to the current time ( Ignored when querying by Applies when querying by |
|
Maximum number of findings to return. If not specified, all matching findings are returned. Use this to limit large result sets. |
|
Reference ID (finding ID) to query a specific finding. If specified, returns only the finding with this ID. Takes precedence over The time is automatically extracted from the ref_id (format uuid@@notable@@time{timestamp}). When querying by ref_id, the |
|
Title name to filter findings. Returns all findings with an exact title match. Ignored if The |
Examples
- name: Query specific finding by ref_id (time extracted automatically from ref_id)
splunk.es.splunk_finding_info:
ref_id: "abc-123-def-456@@notable@@time1234567890"
register: result
- name: Display the finding info
debug:
var: result.findings
- name: Query findings by title (from last 24 hours by default)
splunk.es.splunk_finding_info:
title: "Suspicious Login Activity"
register: result
- name: Query findings by title from the last 7 days
splunk.es.splunk_finding_info:
title: "Suspicious Login Activity"
earliest: "-7d"
register: result
- name: Display findings with matching title
debug:
var: result.findings
- name: Query all findings (from last 24 hours by default)
splunk.es.splunk_finding_info:
register: all_findings
- name: Display all findings
debug:
var: all_findings.findings
- name: Query all findings from the last 7 days
splunk.es.splunk_finding_info:
earliest: "-7d"
latest: "now"
register: all_findings
- name: Query all findings from the last 30 days
splunk.es.splunk_finding_info:
earliest: "-30d"
register: all_findings
- name: Query findings with a limit on results
splunk.es.splunk_finding_info:
earliest: "-7d"
limit: 100
register: limited_findings
- name: Query findings from a specific time range (ISO 8601)
splunk.es.splunk_finding_info:
earliest: "2026-01-01T00:00:00"
latest: "2026-01-07T23:59:59"
register: all_findings
- name: Filter findings by status using Jinja2
splunk.es.splunk_finding_info:
earliest: "-7d"
register: all_findings
# Query findings with custom API path (for non-standard environments)
- name: Query findings with custom API path
splunk.es.splunk_finding_info:
earliest: "-7d"
api_namespace: "{{ es_namespace | default('servicesNS') }}"
api_user: "{{ es_user | default('nobody') }}"
api_app: "{{ es_app | default('SplunkEnterpriseSecuritySuite') }}"
register: custom_findings
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
List of findings matching the query Returned: always Sample: |
|
Description of the finding Returned: success |
|
Disposition of the finding Returned: success |
|
The risk object (entity) associated with the finding Returned: success |
|
Type of the risk object (user or system) Returned: success |
|
Risk score of the finding Returned: success |
|
Owner of the finding Returned: success |
|
The unique reference ID of the finding Returned: success |
|
Security domain of the finding Returned: success |
|
Status of the finding Returned: success |
|
Title of the finding Returned: success |
|
Urgency level of the finding Returned: success |