splunk.es.splunk_notes module – Manage notes for findings, investigations, and response plan tasks

Note

This module is part of the splunk.es collection (version 5.1.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install splunk.es.

To use it in a playbook, specify: splunk.es.splunk_notes.

New in splunk.es 5.1.0

Synopsis

• This module allows for creation, update, and deletion of notes in Splunk Enterprise Security.

• Notes can be created for findings, investigations, or response plan tasks.

• Use target_type to specify where the note should be attached.

• When state=present without note_id, a new note is created.

• When state=present with note_id, the existing note is updated.

• When state=absent with note_id, the note is deleted.

• Note creation (without note_id) is NOT idempotent. Each call creates a new note, even if the content is identical. This is by design, as notes are meant to be additive and multiple notes with the same content may be intentional.

• Note updates (with note_id) ARE idempotent. The module compares the existing note’s content with the desired state and only updates if there are differences.

Note

This module has a corresponding action plugin.

Parameters

Parameter	Comments
api_app string	The app portion of the Splunk API path. Override this if your environment uses a different app name. Default: "missioncontrol"
api_namespace string	The namespace portion of the Splunk API path. Override this if your environment uses a different namespace. Default: "servicesNS"
api_user string	The user portion of the Splunk API path. Override this if your environment requires a different user context. Default: "nobody"
content string	The content/body of the note. Required when state=present (creating or updating a note).
finding_ref_id string	The reference ID of the finding to attach the note to. Required when target_type=finding. Format is typically uuid@@notable@@time{timestamp}.
investigation_ref_id string	The investigation UUID. Required when target_type=investigation or target_type=response_plan_task.
note_id string	The ID of an existing note. Required when updating or deleting a note. When state=present and note_id is provided, the note is updated. When state=absent, note_id is required to identify the note to delete.
phase_id string	The ID of the phase containing the task. Required when target_type=response_plan_task.
response_plan_id string	The ID of the applied response plan. Required when target_type=response_plan_task.
state string	The desired state of the note. Use present to create or update a note. Use absent to delete a note (requires note_id). Choices: "present" ← (default) "absent"
target_type string / required	The type of object to attach the note to. Use finding to attach a note to a security finding. Use investigation to attach a note to an investigation. Use response_plan_task to attach a note to a task within an applied response plan. Choices: "finding" "investigation" "response_plan_task"
task_id string	The ID of the task to attach the note to. Required when target_type=response_plan_task.

Examples

# Create a note on a finding
- name: Add note to a finding
  splunk.es.splunk_notes:
    target_type: finding
    finding_ref_id: "2008e99d-af14-4fec-89da-b9b17a81820a@@notable@@time1768225865"
    content: "Initial investigation shows suspicious activity from external IP."

# Create a note on an investigation
- name: Add note to an investigation
  splunk.es.splunk_notes:
    target_type: investigation
    investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
    content: "Escalating to security team for further analysis."

# Create a note on a response plan task
- name: Add note to a response plan task
  splunk.es.splunk_notes:
    target_type: response_plan_task
    investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
    response_plan_id: "b9ef7dce-6dcd-4900-b5d5-982fc194554a"
    phase_id: "phase-001"
    task_id: "task-001"
    content: "Completed isolation of affected systems."

# Update an existing note
- name: Update a note on a finding
  splunk.es.splunk_notes:
    target_type: finding
    finding_ref_id: "2008e99d-af14-4fec-89da-b9b17a81820a@@notable@@time1768225865"
    note_id: "note-abc123"
    content: "Updated analysis: confirmed malicious activity."

# Delete a note from an investigation
- name: Delete a note from an investigation
  splunk.es.splunk_notes:
    target_type: investigation
    investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
    note_id: "note-abc123"
    state: absent

# Create note with custom API configuration
- name: Add note with custom API path
  splunk.es.splunk_notes:
    target_type: investigation
    investigation_ref_id: "590afa9c-23d5-4377-b909-cd2cfa1bc0f1"
    content: "Note content here"
    api_namespace: "{{ es_namespace | default('servicesNS') }}"
    api_user: "{{ es_user | default('nobody') }}"
    api_app: "{{ es_app | default('missioncontrol') }}"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
changed boolean	Whether any changes were made. Returned: always Sample: true
msg string	Message describing the result. Returned: always Sample: "Note created successfully"
note dictionary	The note result containing before/after states. Returned: always Sample: {"after": {"content": "Investigation shows suspicious activity.", "note_id": "note-abc123"}, "before": null}
after dictionary	The note state after module execution. Returned: when state is present
content string	The content of the note. Returned: success
note_id string	The unique identifier of the note. Returned: success
before dictionary	The note state before module execution (if existed). Returned: when note existed (update/delete operations)

Authors

• Ron Gershburg (@rgershbu)

Collection links

• Issue Tracker
• Repository (Sources)