I have a correlation search in Splunk ES that does some statistics, and return a table with the events; "src_ip", "dest_ip", "count", "latest", "action", "app", "src", "dest", and "dest_port". The search looks something like the following.
| tstats count latest(_time) as latest values(All_Traffic.action) as action values(All_Traffic.app) as app values(All_Traffic.src) as src values(All_Traffic.dest) as dest values(All_Traffic.dest_port) as dest_port from datamodel=Network_Traffic where All_Traffic.dest_ip=1.2.3.4 by All_Traffic.src_ip All_Traffic.dest_ip
| rename All_Traffic.* as *
When this correlation search triggers it writes an event to the notable index, and that notable event contains the fields that are outputed from the search, except src_ip and dest_ip. Note that I'm talking about the notable index here, not the incidents showing in the Incident Review.
I've looked in the documentation for an explanation of this behaviour, but can't find anything. Can someone explain to me how Splunk picks which fields are to be written to the notable index events, and if possible, how one can force Splunk to write all fields from the search to the notable index?