Two "answers", one much shorter than the other. Can't you include the name of the risk_object, its score, and which search triggered it by using field names to append to the notable name? And then all of that info would be available for you to parse out of the name in the notable index? Use a lookup to keep track of the data somehow. Something with fields like risk_object, score,search_scope comp1,120,1 serv3,200,4 userA,170,24 So that you can then do some lookups during your search like... [search to find risk score] | [let's say we now have fields newScore and this_search_scope] | lookup risk_lookup risk_object OUTPUT score search_scope | where newScore >= score + 100 and this_search_scope search_scope | [create a notable] | [maybe pipe to outputlookup here or do that in a different search] So keep track of those objects that you alerted on, how high the risk score was in which search generated the notable initiall (1, 4, 8, 24). Then when you run your searches, compare the score of the current search with what you have in the lookup and also whether you want to alert again based on which search is running and now and which one caused the alert initially. Not sure exactly how to get all of that info together and updated in a lookup, but this is the best way ... View more