https://community.splunk.com/t5/Splunk-Search/how-to-label-the-attributing-events-additional-fields-which-can/m-p/673309#M230552 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263755">@jaro</a>,</P><P>to see a field in the fields of a Notable (in the Incident Review dashboard) you have to check if this field is displayed in the Notable event (running index=notable search=your_correlation_search),</P><P>if not, probably isn't displayed in the output of the correlation search: manually run your correlation search and see if the field is displayed, if not add it to the correlation Search.</P><P>One additional hint: don't modify the Correlation Search, but clone it and modify and enable only the cloned one.</P><P>If the field is present in the Notable event, you have also to check if it's present in the default visible fields, that you can find these configurations at [Configure &gt; Incident management &gt; Incident Review Settings] in the section Incident Review - Event Attributes.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 05 Jan 2024 07:53:08 GMT gcusello 2024-01-05T07:53:08Z https://community.splunk.com/t5/Splunk-Search/how-to-label-the-attributing-events-additional-fields-which-can/m-p/673300#M230550 <P>Here are the screenshots:</P><P>In incident review setting, I have already labeled signature:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jaro_0-1704421786405.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28774i703E498C62F77EFD/image-size/medium?v=v2&amp;px=400" role="button" title="jaro_0-1704421786405.png" alt="jaro_0-1704421786405.png" /></span></P><P>Then in Correlation Search content setting, also I have setting the search query which could result in fields with signature. This search can be run normally in search head and show the result I want.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jaro_1-1704421940091.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28775i60596670346B4E42/image-size/medium?v=v2&amp;px=400" role="button" title="jaro_1-1704421940091.png" alt="jaro_1-1704421940091.png" /></span></P><P>But here related to drill-down search or description, this $signature$ can not show in notable of incident review:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jaro_2-1704422095632.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28776i0D55421F633DE6C1/image-size/medium?v=v2&amp;px=400" role="button" title="jaro_2-1704422095632.png" alt="jaro_2-1704422095632.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jaro_3-1704422192557.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/28777iC6615CB3413E7700/image-size/medium?v=v2&amp;px=400" role="button" title="jaro_3-1704422192557.png" alt="jaro_3-1704422192557.png" /></span></P><P>&nbsp;</P><P>May I ask how to solve this issue?</P> Fri, 05 Jan 2024 02:40:06 GMT https://community.splunk.com/t5/Splunk-Search/how-to-label-the-attributing-events-additional-fields-which-can/m-p/673300#M230550 jaro 2024-01-05T02:40:06Z https://community.splunk.com/t5/Splunk-Search/how-to-label-the-attributing-events-additional-fields-which-can/m-p/673309#M230552 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263755">@jaro</a>,</P><P>to see a field in the fields of a Notable (in the Incident Review dashboard) you have to check if this field is displayed in the Notable event (running index=notable search=your_correlation_search),</P><P>if not, probably isn't displayed in the output of the correlation search: manually run your correlation search and see if the field is displayed, if not add it to the correlation Search.</P><P>One additional hint: don't modify the Correlation Search, but clone it and modify and enable only the cloned one.</P><P>If the field is present in the Notable event, you have also to check if it's present in the default visible fields, that you can find these configurations at [Configure &gt; Incident management &gt; Incident Review Settings] in the section Incident Review - Event Attributes.</P><P>Ciao.</P><P>Giuseppe</P> Fri, 05 Jan 2024 07:53:08 GMT https://community.splunk.com/t5/Splunk-Search/how-to-label-the-attributing-events-additional-fields-which-can/m-p/673309#M230552 gcusello 2024-01-05T07:53:08Z https://community.splunk.com/t5/Splunk-Search/how-to-label-the-attributing-events-additional-fields-which-can/m-p/673326#M230557 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>.&nbsp; ---<SPAN>to check if this field is displayed in the Notable event (running index=notable search=your_correlation_search), yes, I have display the result "signature" in the search I ran. However, the below description can not show the field value "signature" I search in correlation search as $signature$.&nbsp;</SPAN></P><P><SPAN>Also I have tried eval other name equal to field signature, still nothing.</SPAN></P> Fri, 05 Jan 2024 09:50:17 GMT https://community.splunk.com/t5/Splunk-Search/how-to-label-the-attributing-events-additional-fields-which-can/m-p/673326#M230557 jaro 2024-01-05T09:50:17Z https://community.splunk.com/t5/Splunk-Search/how-to-label-the-attributing-events-additional-fields-which-can/m-p/673328#M230558 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263755">@jaro</a>&nbsp;,</P><P>if the field is in the Notable index, can be displayed.</P><P>Did you checked if it's in the visualized fields?</P><P>Ciao.</P><P>Giuseppe</P> Fri, 05 Jan 2024 10:11:44 GMT https://community.splunk.com/t5/Splunk-Search/how-to-label-the-attributing-events-additional-fields-which-can/m-p/673328#M230558 gcusello 2024-01-05T10:11:44Z https://community.splunk.com/t5/Splunk-Search/how-to-label-the-attributing-events-additional-fields-which-can/m-p/673482#M230618 <P>It's OKAY now. In next triggered notable, it displayed.&nbsp;Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>.&nbsp;</P> Mon, 08 Jan 2024 03:39:02 GMT https://community.splunk.com/t5/Splunk-Search/how-to-label-the-attributing-events-additional-fields-which-can/m-p/673482#M230618 jaro 2024-01-08T03:39:02Z https://community.splunk.com/t5/Splunk-Search/how-to-label-the-attributing-events-additional-fields-which-can/m-p/673495#M230619 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263755">@jaro</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 08 Jan 2024 07:18:04 GMT https://community.splunk.com/t5/Splunk-Search/how-to-label-the-attributing-events-additional-fields-which-can/m-p/673495#M230619 gcusello 2024-01-08T07:18:04Z