splunk.es.splunk_investigation_info module – Gather information about Splunk Enterprise Security Investigations
Note
This module is part of the splunk.es collection (version 5.1.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install splunk.es.
To use it in a playbook, specify: splunk.es.splunk_investigation_info.
New in splunk.es 5.1.0
Synopsis
This module allows for querying information about Splunk Enterprise Security Investigations.
Use this module to retrieve investigation configurations without making changes.
Query by
investigation_ref_idto fetch a specific investigation.Query by
nameto filter investigations by exact name match.Use
create_time_minandcreate_time_maxto control the time range of returned investigations.
Note
This module has a corresponding action plugin.
Parameters
Parameter |
Comments |
|---|---|
The app portion of the Splunk API path for the investigations endpoint. Override this if your environment uses a different app name. Default: |
|
The namespace portion of the Splunk API path. Override this if your environment uses a different namespace. Default: |
|
The user portion of the Splunk API path. Override this if your environment requires a different user context. Default: |
|
The maximum time during which investigations were created. All investigations returned have a creation time less than or equal to this value. Accepts relative time (e.g. If not provided, no maximum time filter is applied. |
|
The minimum time during which investigations were created. All investigations returned have a creation time greater than or equal to this value. Accepts relative time (e.g. If not provided, no minimum time filter is applied. |
|
Reference ID (investigation ID) to query a specific investigation. If specified, returns only the investigation with this ID. Takes precedence over |
|
Maximum number of investigations to return. If not specified, all matching investigations are returned. Use this to limit large result sets. |
|
Name to filter investigations. Returns all investigations with an exact name match. Ignored if The |
Examples
- name: Query specific investigation by ref_id
splunk.es.splunk_investigation_info:
investigation_ref_id: "abc-123-def-456"
register: result
- name: Display the investigation info
debug:
var: result.investigations
- name: Query investigations by name
splunk.es.splunk_investigation_info:
name: "Security Incident 2026-01"
register: result
- name: Query investigations by name within a time range
splunk.es.splunk_investigation_info:
name: "Security Incident 2026-01"
create_time_min: "-7d"
create_time_max: "now"
register: result
- name: Display investigations with matching name
debug:
var: result.investigations
- name: Query all investigations
splunk.es.splunk_investigation_info:
register: all_investigations
- name: Display all investigations
debug:
var: all_investigations.investigations
- name: Query investigations created in the last 7 days
splunk.es.splunk_investigation_info:
create_time_min: "-7d"
register: recent_investigations
- name: Query investigations created in the last 30 days
splunk.es.splunk_investigation_info:
create_time_min: "-30d"
register: all_investigations
- name: Query investigations with a limit on results
splunk.es.splunk_investigation_info:
create_time_min: "-7d"
limit: 50
register: limited_investigations
- name: Query investigations from a specific time range (ISO 8601)
splunk.es.splunk_investigation_info:
create_time_min: "2026-01-01T00:00:00"
create_time_max: "2026-01-07T23:59:59"
register: all_investigations
- name: Query investigations from a specific time range (epoch)
splunk.es.splunk_investigation_info:
create_time_min: "1676497520"
create_time_max: "1676583920"
register: all_investigations
# Query investigations with custom API path (for non-standard environments)
- name: Query investigations with custom API path
splunk.es.splunk_investigation_info:
create_time_min: "-7d"
api_namespace: "{{ es_namespace | default('servicesNS') }}"
api_user: "{{ es_user | default('nobody') }}"
api_app: "{{ es_app | default('missioncontrol') }}"
register: custom_investigations
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
List of investigations matching the query Returned: always Sample: |
|
Description of the investigation Returned: success |
|
Disposition of the investigation Returned: success |
|
List of finding IDs attached to the investigation Returned: success |
|
The unique reference ID of the investigation Returned: success |
|
Name of the investigation Returned: success |
|
Owner of the investigation Returned: success |
|
Sensitivity level of the investigation Returned: success |
|
Status of the investigation Returned: success |
|
Urgency level of the investigation Returned: success |