Splunk Enterprise v7.0.1
Some notable events are showing in Incident Review but not all.
We are missing some notables that used to show/generate fine in the past.
Not sure if related but running MC Health Check shows the following -
Orphaned scheduled searches Splunk Miscellaneous configuration, search
One or more scheduled searches are orphaned, meaning that they are no longer associated with valid owners. The scheduler will not run orphaned scheduled searches.
Search scheduler skip ratio Data Search scheduler
Scheduled searches are being skipped on one or more search heads.
The MC Health Check explained why you are missing notable events.