With all the help from @solarboyz1, the correlation searches produce now notable events, which show up in the Incident Review page.
index=notable shows them but | inputlookup incident_review_lookup shows zero results.
index=notable
| inputlookup incident_review_lookup
Why is that?
The state and ownership information are stored in the incident_review_lookup
incident_review_lookup
Until an action is taken on the notable, I don't believe anything will stored for it in incident_review_lookup
http://dev.splunk.com/view/enterprise-security/SP-CAAAFA9
View solution in original post
Once you assign the notable event/incident to an user, you can notice records in incident_review_lookupfile.
Right, just saw it running and | inputlookup incident_review_lookup shows the assigned incident.
