This is an interesting use case, and it's going into mad science territory, so hang on, The way I envision making this work is two parts: One, edit your correlation search to also search | inputlookup incident_review_lookup, then narrow it down to see if the specific details you want to search off are already in there. If it is, and isn't yet closed, then set var_underreview = 1. Two, add a "is var_underreview > 0" to see if it is a finding. That way, only items that aren't under review will trigger notables, and ergo, only those will fire. If you need to, you could separate the creating of notables from the firing of alerts, but that would duplicate effort. -- Michael S
... View more