topic Findings Comments in Splunk Enterprise Security https://community.splunk.com/t5/Splunk-Enterprise-Security/Findings-Comments/m-p/754320#M12720 <P>Hi,&nbsp;</P><P>Our team has recently upgraded to ES 8, we use to have a dashboard that linked notables to closure comments for review.&nbsp;</P><P>Since the upgrade to ES 8 we have not been able to review notes in bulk in association to a particular finding. The notes are stored within the KV store lookup 'mc_notes', however this table only displays the notes and not the finding it is associated with.&nbsp;</P><P>What would be the best way of linking notes with a particular finding, and what would be the SPL for this search.&nbsp;</P><P>Thanks.&nbsp;</P> Tue, 14 Oct 2025 22:19:08 GMT jabson 2025-10-14T22:19:08Z Findings Comments https://community.splunk.com/t5/Splunk-Enterprise-Security/Findings-Comments/m-p/754320#M12720 <P>Hi,&nbsp;</P><P>Our team has recently upgraded to ES 8, we use to have a dashboard that linked notables to closure comments for review.&nbsp;</P><P>Since the upgrade to ES 8 we have not been able to review notes in bulk in association to a particular finding. The notes are stored within the KV store lookup 'mc_notes', however this table only displays the notes and not the finding it is associated with.&nbsp;</P><P>What would be the best way of linking notes with a particular finding, and what would be the SPL for this search.&nbsp;</P><P>Thanks.&nbsp;</P> Tue, 14 Oct 2025 22:19:08 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Findings-Comments/m-p/754320#M12720 jabson 2025-10-14T22:19:08Z Re: Findings Comments https://community.splunk.com/t5/Splunk-Enterprise-Security/Findings-Comments/m-p/756361#M12789 <P>Follow this&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/313602">@jabson</a></P><P><A href="https://splunk.my.site.com/customer/s/article/Notable-Comments-are-no-longer-found-in-index-audit-or-in-incident-review" target="_blank">https://splunk.my.site.com/customer/s/article/Notable-Comments-are-no-longer-found-in-index-audit-or-in-incident-review</A></P> Tue, 09 Dec 2025 21:04:57 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Findings-Comments/m-p/756361#M12789 sohailmohammed 2025-12-09T21:04:57Z