splunk.es.splunk_notes_info module – Gather information about notes in Splunk Enterprise Security

Note

This module is part of the splunk.es collection (version 5.1.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install splunk.es.

To use it in a playbook, specify: splunk.es.splunk_notes_info.

New in splunk.es 5.1.0

Synopsis

  • This module allows for querying information about notes in Splunk Enterprise Security.

  • Notes can be queried from findings, investigations, or response plan tasks.

  • Use target_type to specify where to query notes from.

  • Query by note_id to fetch a specific note.

  • Use limit to control the maximum number of notes returned.

  • This module is read-only and does not make any changes.

Note

This module has a corresponding action plugin.

Parameters

Parameter

Comments

api_app

string

The app portion of the Splunk API path.

Override this if your environment uses a different app name.

Default: "missioncontrol"

api_namespace

string

The namespace portion of the Splunk API path.

Override this if your environment uses a different namespace.

Default: "servicesNS"

api_user

string

The user portion of the Splunk API path.

Override this if your environment requires a different user context.

Default: "nobody"

finding_ref_id

string

The reference ID of the finding to query notes from.

Required when target_type=finding.

Format is typically uuid@@notable@@time{timestamp}.

The notable_time query parameter is automatically extracted from this ID.

investigation_ref_id

string

The investigation UUID.

Required when target_type=investigation or target_type=response_plan_task.

limit

integer

Maximum number of notes to return.

Defaults to 100 if not specified.

Ignored when note_id is provided.

Default: 100

note_id

string

The ID of a specific note to retrieve.

If specified, returns only the note with this ID.

For response_plan_task, this enables direct API lookup.

For finding and investigation, notes are fetched and filtered by ID.

phase_id

string

The ID of the phase containing the task.

Required when target_type=response_plan_task.

response_plan_id

string

The ID of the applied response plan.

Required when target_type=response_plan_task.

target_type

string / required

The type of object to query notes from.

Use finding to query notes from a security finding.

Use investigation to query notes from an investigation.

Use response_plan_task to query notes from a task within an applied response plan.

Choices:

  • "finding"

  • "investigation"

  • "response_plan_task"

task_id

string

The ID of the task to query notes from.

Required when target_type=response_plan_task.

Examples

# Query all notes from a finding
- name: Get all notes from a finding
  splunk.es.splunk_notes_info:
    target_type: finding
    finding_ref_id: "2008e99d-af14-4fec-89da-b9b17a81820a@@notable@@time1768225865"
  register: finding_notes

- name: Display finding notes
  debug:
    var: finding_notes.notes

# Query all notes from an investigation
- name: Get all notes from an investigation
  splunk.es.splunk_notes_info:
    target_type: investigation
    investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
  register: investigation_notes

# Query all notes from a response plan task
- name: Get all notes from a response plan task
  splunk.es.splunk_notes_info:
    target_type: response_plan_task
    investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
    response_plan_id: "b9ef7dce-6dcd-4900-b5d5-982fc194554a"
    phase_id: "phase-001"
    task_id: "task-001"
  register: task_notes

# Query a specific note by ID from a finding
- name: Get specific note from a finding
  splunk.es.splunk_notes_info:
    target_type: finding
    finding_ref_id: "2008e99d-af14-4fec-89da-b9b17a81820a@@notable@@time1768225865"
    note_id: "note-abc123"
  register: specific_note

# Query a specific note by ID from a response plan task
- name: Get specific note from a response plan task
  splunk.es.splunk_notes_info:
    target_type: response_plan_task
    investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
    response_plan_id: "b9ef7dce-6dcd-4900-b5d5-982fc194554a"
    phase_id: "phase-001"
    task_id: "task-001"
    note_id: "note-xyz789"
  register: specific_task_note

# Query notes with a custom limit
- name: Get latest 10 notes from an investigation
  splunk.es.splunk_notes_info:
    target_type: investigation
    investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
    limit: 10
  register: limited_notes

# Query notes with custom API configuration
- name: Get notes with custom API path
  splunk.es.splunk_notes_info:
    target_type: investigation
    investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
    api_namespace: "{{ es_namespace | default('servicesNS') }}"
    api_user: "{{ es_user | default('nobody') }}"
    api_app: "{{ es_app | default('missioncontrol') }}"
  register: custom_notes

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

changed

boolean

Whether any changes were made. Always false for info modules.

Returned: always

Sample: false

notes

list / elements=dictionary

List of notes matching the query.

Returned: always

Sample: [{"content": "Initial investigation shows suspicious activity from external IP.", "note_id": "note-abc123"}, {"content": "Escalating to security team for further analysis.", "note_id": "note-def456"}]

content

string

The content/body of the note.

Returned: success

note_id

string

The unique identifier of the note.

Returned: success

Authors

  • Ron Gershburg (@rgershbu)