Hi There, 

I got issue Drill-down and Next Step are not read in Incident Review, i create Splunk Lab for Research And Development by myself. I just install Splunk Enterprise and Enterprise Security (nothing another external apps) and i ingest DVWA to my Splunk. As you know DVWA has various vulnerabilities, and I want to utilize this as a log that I will then manage in Splunk. Therefore, I made a rule regarding uploading inappropriate files. The query is like this 

index=lab_web sourcetype="apache:access" 
| rex field=_raw "\[(?<Time>[^\]]+)\] \"(?<Method>\w+) (?<Path>/DVWA/vulnerabilities/upload/[^/]+\.\w+) HTTP/1.1\" (?<Status>\d{3}) \d+ \"(?<Referer>[^\"]+)\" \"(?<UserAgent>[^\"]+)\""
| eval FileName = mvindex(split(Path, "/"), -1)
| eval FullPath = "http://localhost" . Path
| where match(FileName, "\.(?!jpeg$|png$)[a-zA-Z0-9]+$")
| table Time, FileName, FullPath, Status

In that correlation, I added notables that were filled in from the drill-down and also the next step. 

But why when I enter the incident review, the drill-down and next steps that I created are not readable?

Maybe there is an application that I haven't installed or something else?

I will attach my full correlation setting include with notable, drill-down, and Next Steps.

Splunk Enterprise Version : 9.3.1

Enterprise Security Version : 7.3.2