the short and easy answer is the use the free-form search to look for bunit="whatever". To add another form field would require editing the incident_review.xml, which will cause upgrade problems.
Thank you for the details.
Also, if I have to create a new filter for the Business Unit in the incident review dashboard. How can I do it. The default filters that I currently see are only
"Status" , "Urgency" , "Owner" , "Title" , "Security Domain" , "Governance" , " Search"
I just wanted to add one more filter for "Bussiness Unit"
Sorry, didn't get a notification...
Configure > Assets > Edit, after your specific machine entries add a network range entry. http://docs.splunk.com/Documentation/ES/2.4/Install/Assetlist#Asset_fields
if the fields you want are covered in the CIM, I believe you can just use the
map_notable_fields macro at the end of your search. More information on this here: http://docs.splunk.com/Documentation/ES/2.4/Install/ModifyCorrelationSearches#Raw_event_searches
If you want to use a field that is not in the CIM, it's more involved: http://docs.splunk.com/Documentation/ES/2.4/User/FAQ#I_want_a_custom_field_in_the_Incident_Review_da...
Thanks , I basically wanted to add a "src_bunit" field to my notable event. I checked the notable2.html file and the section under it does have the below listed under it
'src_bunit' : 'Source Business Unit'
Lets say if raw event data that caused to generate a notable event does not have a 'src_bunit' in it is that why I am not able to see that field in the notable event. Can I force to include the source bussiness unit details somehow
"src_bunit" can come from a number of places, but initially it is introduced via an asset or identity lookup (these run automatically). There are a number of ways to persist this into your notable events:
map_notable_fieldsis only relevant if your search does not have a transforming command (contains _raw)