I created correlation search and add Notable action as "Adaptive Response Actions".
By running search there are some events and actually Activity>Jobs shows events are existing.
However "Incident Review" doesn't display any event.
#I configure "Throttling" disable by setting "Window duration" as "0".
Hi,
There's a new page in the docs about troubleshooting missing notable events in Splunk Enterprise Security. Maybe one of these tips will help:
https://docs.splunk.com/Documentation/ES/6.4.0/Admin/Troubleshootnotables