I have rule_id and If I split the rule_id with delimiter "@@notable" the first part will match the values of source_guid in notable index.  ... View more

Thanks @gcusello  I tried to run a query something like this: | inputlookup incident_updates_lookup | eval source_guid_in_lookup=mvindex(split(rule_id, "@@notable@"), 0) | join type=left source_guid_in_lookup [ search index=notable | rename source_guid as source_guid_in_lookup ] | table rule_id, source_guid_in_lookup, source_event_id, status By this, I want to fetch the source_event_id(notable_id). If I split the rule_id at "@@notable@" the first part would match the source_guid field in notable index. But when I ran this query, I was not able to get any source_event_id. That column returns no entry. Could you please help me to modify this query?  ... View more

When I tried first query, it did show me the time and severity. But there was no single entry for owner, status and rule_title field. For other two queries, no results at all. ... View more

I tried with index=notable. I couldn't see the status change fields for all the notables. Does splunk store all the changes made to a notable event? Is there anything like audit log which keeps tracks of every changes into the events? ... View more