Review and finish existing legacy investigations in Splunk Enterprise Security

If you previously created investigations in Splunk Enterprise Security 7.x, you can still review and complete them after upgrading to version 8.x. With the legacy Investigations interface, you can finish your existing work, export data for reports, and maintain visibility into past findings so that you don't lose context after upgrading.

The legacy investigation interface is supported for a limited time. Start a new investigation in the analyst queue for the updated experience.

You can find legacy investigations in the configuration settings. To access them, follow these steps:

In Splunk Enterprise Security, select Configure and then All configurations.
In the Findings and investigations section, select Legacy investigations.
From the table, select the investigation you want to review and finish.
After opening the investigation, you'll find a banner identifying the old interface.

After accessing a legacy investigation in Splunk Enterprise Security 8.x, you can finish working on it by adding artifacts, adding notes, and updating the status. See the following documentation for Splunk Enterprise Security 7.x:

Legacy investigation access by role

The following table explains the access conditions for managing legacy investigations.


Role	Legacy investigation access
admin	If total count of legacy investigations is greater than 0, this user can manage all legacy investigations.
sc_admin	If total count of legacy investigations is greater than 0, this user can manage all legacy investigations.
ess_admin	If total count of legacy investigations is greater than 0, this user can manage all legacy investigations.
ess_analyst	If the number of investigations assigned to this user is greater than 0, that user can manage legacy investigations assigned to them.

For any other role including custom roles, you must have the edit_timeline capability to access legacy investigations. See Users and roles for Splunk Enterprise Security.