I am using Enterprise Security and most of our searches are correlation searches. One of my searches is not able to be done in a correlation search so I have resorted to just an alert which then sends a notable event to ES (this is because I need a per event trigger which correlation doesn't let me do). The alert works and gives me the details I want in ES (basic info such as user details). However I would like a drill down search to open something like a table view with additional information. The problem is that I can't seem to find a way to add the token from the notable event to the drill down. For example my search is

index=foo sourcetype=goo
| bin _time span=5m
| stats count by user src

The alert is configured as

Alert Type = real-time
Trigger Alert when "per-result"
Suppression = 8 hours based on user field
Trigger action ==> when triggered - Notable

The notable trigger event can't be edited.

I then went into the advanced edit options of this alert and configured a drill down to be as follows (note $user$)

index=foo sourcetype=goo $user$
| bin _time span=5m
| stats count by user src
| where count > 10
| table src user count

I thought this may be because I am passing the wrong token, so I edited the code as follows (note $result.user) but still no go

index=foo sourcetype=goo $result.user$
| bin _time span=5m
| stats count by user src
| where count > 10
| table src user count

Is there a way this can be done? Do I need to maybe in code generate the token to then be used (i.e. like a dashboard "set token"?