Hi everyone,
I have a specific question for all of you.

In Splunk ESS I created a correlation search and a notable for the monitoring Incident Review section.

I have set up a specific notable with drilldown to which I pass a field of the CS (Corralation Search)  to perform the specific search and display via the Statistics tab.

Corralation Search:

index=* (statusCode=4* OR statusCode=5*)  
| rename "requestTime" as Time, "statusCode" as Status, "sourceIp" as SourceIp, "httpMethod" as HttpMethod, "endpointRequestId" as "EndpointReqID"  
| stats values(Status) as Status, values(HttpMethod) as HttpMethod, count by index, SourceIp, EndpointReqID

Notable Drilldown

index=* (statusCode=4* OR statusCode=5*)  
| search sourceIp="$sourceIp$"
| rename "requestTime" as Time, "statusCode" as Status, "sourceIp" as SourceIp, "httpMethod" as HttpMethod, "endpointRequestId" as "EndpointReqID"  
| stats values(Status) as Status, values(HttpMethod) as HttpMethod, count by index, SourceIp, EndpointReqID

When I open the drilldown from the Notable screen, the following query is returned:

index=* (statusCode=4* OR statusCode=5*) 
| search sourceIp="$sourceIp$" 
| rename "requestTime" as Time, "statusCode" as Status, "sourceIp" as SourceIp, "httpMethod" as HttpMethod, "endpointRequestId" as "EndpointReqID" 
| stats values(Status) as Status, values(HttpMethod) as HttpMethod, count by index, SourceIp, EndpointReqID

Instead of:

index=* (statusCode=4* OR statusCode=5*)  
| search sourceIp="129.12.x.x"
| rename "requestTime" as Time, "statusCode" as Status, "sourceIp" as SourceIp, "httpMethod" as HttpMethod, "endpointRequestId" as "EndpointReqID"  
| stats values(Status) as Status, values(HttpMethod) as HttpMethod, count by index, SourceIp, EndpointReqID

Why is the $sourceIp$ field not recognized and replaced with the IP address of the CS so that it can perform a specific search?

What is the error?

Thank you all!