Hi @sudosplunk

let me illustrate this with an example. Consider i have a field named "class" and it has values A,B,C and D. so when i create a table and list out all the values of this field, ideally i should get the result as below:

class \Column name
A
B
C
D

but for some strange reason, the result that i am getting is:

class \Column name
class
class
class
class

Another reason why it's strange is because this table is in a dashboard and all other users can see the first table except one user even though all users have same rights.

Can you provide the search you're using and sample events which has "class" field and values.

Hey @sudosplunk ,

I have used the below mentioned query. It's a simple index based search. You can see in the query that there's a field named "Class" in my event logs and while i created the table i have changed the name of the field to "Vulnerability". this field have different values (name of vulnerabilities). But in the table, it's showing value "Class" which is the actual name of the field.

index=whitehat (id!=51587833 AND id!=51587836 AND id!=51587841 AND id!=51587851 AND id!=51587855 AND id!=51587869 AND id!=51589034 AND id!=51589041 AND id!=51589056 AND id!=51589063)|  where isnotnull(id) |rex field=_raw "<tags><tag>(?<ifreported>[^\<]+)<\/tag><\/tags>"|eval closed_date = strptime('closed', "%Y-%m-%dT%H:%M:%SZ") |eval opened_date = strptime('opened', "%Y-%m-%dT%H:%M:%SZ") | eval first_opened = strptime('first_opened', "%Y-%m-%dT%H:%M:%SZ")| stats values(status) as status1, values(opened_date) as odate, values(closed_date) as cdate, values(opened) as Opened_on, values(risk) as risk, values(class) as Vulnerability, latest(ifreported) as Ticket, values(site_name) as site by id |  eval omdate=mvindex(odate,-1) | eval cmdate=mvindex(cdate,-1) | eval Open=mvindex(Opened_on,-1)|where (omdate>cmdate) OR (isnull(cmdate)) | search risk IN (5,4) | table id,Ticket,site,Vulnerability,risk,Open | sort - risk | rename id as "Vulnerability ID", Ticket as "RF Ticket",site as "Application",risk as "Severity", Open as "Open Since" | replace "5" with "Critical" in Severity| replace "4" with "High" in Severity | fillnull value="RF ticket not found" "RF Ticket"

And this issue is only observed for one user while all other users (with same permission) can see the value of vulnerability on this Vulnerability column.

And you are sure that user has not made local changes to that dashboard and is looking at his own local copy, that has a different search that causes this issue?

Hey @FrankVl , Nope. It's the same dashboard accessed by all users.