Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extract attachments/notes from Findings (Mission Control) in Splunk ES 8.3 using SPL

Kobi998
New Member
2 weeks ago

Hi,

I’d appreciate your help extracting attachments/notes that users add to Findings (Mission Control) for reporting purposes using SPL in Splunk Cloud Platform.

Until recently, I was using a custom SPL query based on _audit logs (mc_generic_kv_update) to retrieve this data, but after upgrading to Enterprise Security 8.3 it stopped working. From Splunk Support I understand that this method is no longer supported and that notes/attachments are no longer exposed via KV store or _audit, and that the recommended approach is via the Enterprise Security API.

Is there still any supported way to extract this data using SPL only (for example via | rest) in Splunk Cloud, or is the only supported option to use external REST API calls (port 8089 with IP allowlisting)?

If anyone has successfully implemented this (either via SPL or API), I’d appreciate an example or guidance.

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
2 weeks ago

Hi @Kobi998 

Have you see this endpoint? 

https://{stack}:{port}/servicesNS/nobody/missioncontrol/public/v2/investigations/{id}/notes

https://help.splunk.com/en/splunk-enterprise-security-8/api-reference/8.5/splunk-enterprise-security...

Also this might help: https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-ES-8-2-API-note-management/td-p/75...

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...