Next, check the post-upgrade documentation to confirm you've completed all the required steps to have ES working correctly. Also verify that your previous notable events are present, as these may need to be restored from your KV store backup given the large gap between Splunk ES versions.
Create a manual notable event, and verify that this appears in the incident review page. This will ensure that Enterprise Security is (for the most part) configured correctly.
If required, check index=_internal sourcetype=splunkd source=*splunkd.log " ERROR " OR " WARN ". You may want to check other log sources as well, but this will point to the most significant problems.
Confirm that correlation searches have run, and verify that they are generating events that result in creation of notables. The upgrade from 4.x to 6.x is quite significant and much may have changed in the SPL of these alerts. E.g. they may have referred to indexes and sourcetypes previously, but now refer to datamodels. If necessary, create your own enabled correlation search with a notable event action and verify that this appears on the incident review page.
If the searches are running, and the notable event index is populating, but incident review is empty, check to see if notable events are being created in index=notable, and if so, check the `notable` and `incident_review` macros to determine if any errors are occurring during enrichment. This could indicate a problem with the KV store lookups or the underlying MongoD service that it runs on.