At the end of the correlation search, add "| map_notable_fields" to pipe the results to the map_notable_fields macro. This will display all configured fields available in the body of the notable event. To configure new fields, edit the "Event Fields List" section of the config file "/etc/apps/SplunkEnterpriseSecuritySuite/appserver/event_renderers/notable2.html".
Thank you for the answer. What I am interested in, is if there is any (default) way that the notable is linked to the events that generated it. Without any action from correlation search author. (without defining a drilldown for example)
