I'm working on creating multiple custom correlation rules such as failed logins from one IP, failed logins from multiple srcs, multiple host infections, etc. and in all of them, there will be a "unique_count" field that I always want populated within the Incident Review page under notable events.

By default, it sets count to the field unique_infections, but I want one field to work for all of my rules. So I changed unique_infections to unique_count and came up with the query below that will define unique_count as failures, but it's not showing up correctly. From reading http://docs.splunk.com/Documentation/ES/5.2.0/Admin/Customizenotables, I it seems like as long my variable includes a statistical transformations, which it does, then it should work. Am I missing anything?

Here is my correlation rule.

(index=windows* OR index=unix*) (source=WinEventLog:Security OR sourcetype=linux_secure OR tag=authentication) NOT Result_Code=0x17
| stats count(eval(action="success")) as successes count(eval(action="failure")) as failures by src user | eval unique_count=failures | table src user successes failures unique_count 
| where failures>10

I recently added the unique_count=failures and table section so when I see the query, it shows me all of the fields i'm truly interested in. Everything is working fine minus unique_count showing up in the Count column under the notable event.