When creating custom correlation searches, what format is used to embed field values in the title, description, and drill-down fields of a notable event?

The correct format for embedding field values in the title, description, and drill-down fields of a notable event in custom correlation searches is the use of dollar signs, specifically $fieldname$. This syntax indicates that the text within the dollar signs should be replaced with the actual value of the specified field at runtime when the notable event is generated.

Using the dollar sign format allows for dynamic updates based on the data being processed, making it versatile for creating meaningful and contextually relevant notable events. This is particularly important in security contexts where different field values may greatly enhance the clarity and relevance of alerts or notifications triggered by correlation searches.

The other formats—quotation marks, percentage signs, and underscores—do not serve the same purpose in the context of embedding field values within Splunk's notable events. These formats either represent static text or are used for different syntactical functions within Splunk and would not achieve the desired dynamic replacement.