To add a new column to the Notable Event table in the Incident Review dashboard, you need to follow these steps:

On the Splunk Enterprise Security menu bar, click Configure > Incident Management > Incident Review Settings.

On the Incident Review Settings page, click the Table Attributes tab.

On the Table Attributes tab, click Add New Attribute.

Enter the name of the attribute that you want to add as a column, such as src or dest. The name must match the field name in the notable event data model.

Enter a label for the attribute that will appear as the column header, such as Source or Destination.

Enter a description for the attribute that will appear as a tooltip when you hover over the column header.

Select the data type for the attribute, such as string or number.

Select the visibility for the attribute, such as visible or hidden.

Click Save to save the new attribute.

Refresh the Incident Review dashboard to see the new column in the Notable Event table. References =

Add custom columns to the Incident Review dashboard in Splunk Enterprise Security