Working with support, I noticed that ES is not extracting the events properly in index=notable which leads to these unknown values. From what I am seeing, Splunk's extraction needs to be updated because they are expecting field="value" which means value needs to be surrounded by quotes. However, if your value has a backslash character before one of the quotes, the extraction breaks.
Do a search in index=notable and find one of the events that isn't being extracted and look to see if you have anything that would break the extraction.
... View more