@splunkrajkrk - Did the answer provided by ekost help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!
The Incident Review page defaults to the last 24 hours. Select a different time range to see if older notable events appear.
Have a look into the index named "notable,” and verify there's data. For example, call macros such as es_notable_events to show data in the index. Available fields are listed on the dev site here.
Check that the correlation searches responsible for triggering notable events are enabled, and running. Correlation searches are found under: Configure > Content Management in recent releases.
Check that the KVStore is up and returning results, as some of the Notable Events fields are stored there. For example, call a macro that will display data from the KVStore such as |inputlookup incident_review_lookup. There’s also REST commands for KVStore are on the dev site here.
If none of these results in a clue towards what is wrong, consider filing a support case.
