the short and easy answer is the use the free-form search to look for bunit="whatever". To add another form field would require editing the incident_review.xml, which will cause upgrade problems.

Thank you for the details.

Also, if I have to create a new filter for the Business Unit in the incident review dashboard. How can I do it. The default filters that I currently see are only

"Status" , "Urgency" , "Owner" , "Title" , "Security Domain" , "Governance" , " Search"

I just wanted to add one more filter for "Bussiness Unit"

Sorry, didn't get a notification...
Configure > Assets > Edit, after your specific machine entries add a network range entry. http://docs.splunk.com/Documentation/ES/2.4/Install/Assetlist#Asset_fields

Oh ok. can you please help me understand how i should update the asset.csv file ( you mean the lookup file?) and also where to add the wild card entry

Thanks , I basically wanted to add a "src_bunit" field to my notable event. I checked the notable2.html file and the section under it does have the below listed under it

'src_bunit' : 'Source Business Unit'

Lets say if raw event data that caused to generate a notable event does not have a 'src_bunit' in it is that why I am not able to see that field in the notable event. Can I force to include the source bussiness unit details somehow

"src_bunit" can come from a number of places, but initially it is introduced via an asset or identity lookup (these run automatically). There are a number of ways to persist this into your notable events:

1. Retain the field using a transforming command. (i.e. values(src_bunit) as src_bunit)
2. map_notable_fields is only relevant if your search does not have a transforming command (contains _raw)
3. If your notable events contain a subject (src/dest/dvc/orig_host) or an identity field (src_user,user) we re-introduce "src_bunit" as part of the asset/identity lookups performed on the notable event. This is OUTPUTNEW, so these lookups will not overwrite the field if it was persisted using #1.

David