Where are attachments to investigations stored?

Attachments to investigations in Splunk Enterprise Security are stored in the KV Store. The KV Store is a NoSQL database that allows for storing key-value pairs, making it suitable for keeping structured data associated with investigations, such as documents, files, or other related items.

Using the KV Store provides several advantages, including easy access and retrieval of attachments via the Splunk UI or search commands, as well as managing relationships between the attachments and the investigations. This centralized storage approach enhances the capabilities of investigations by enabling users to add relevant supporting materials, keeping everything organized and accessible within the Splunk ecosystem.

The other options, while related to data storage in Splunk, do not serve this specific function. The notable index is used for storing notable events generated by correlation searches. The attachments.csv lookup does hold information about attachments but does not actually serve as a storage mechanism for the attachments themselves. The path mentioned for the views is related to the configuration files and UI layout but not for storing the investigation attachments.