"src_bunit" can come from a number of places, but initially it is introduced via an asset or identity lookup (these run automatically). There are a number of ways to persist this into your notable events:
Retain the field using a transforming command. (i.e. values(src_bunit) as src_bunit)
map_notable_fields is only relevant if your search does not have a transforming command (contains _raw)
If your notable events contain a subject (src/dest/dvc/orig_host) or an identity field (src_user,user) we re-introduce "src_bunit" as part of the asset/identity lookups performed on the notable event. This is OUTPUTNEW, so these lookups will not overwrite the field if it was persisted using #1.
David
... View more