Thanks for your fast responses. Some more context: For incidence response, we want to generate a text block with all notables below each other where a security analyst can write his conclusion below every notable, like this: * Short-lived group membership ID: F3y4IS Time: 05/14/2024 11:12:28 Destination: xyz Source User: abc User / Group: def Destination Group: ghi --> * Usage of Default Account "administrator" ID: L32op/, WTBxMy Date: 05/17/2024 20:39:04 Destination: xyz Source User: abc User / Group: def Destination Group: ghi --> * Malware detected ... For this, I already wrote the following query to get the current notables to analyse: `notable` | search urgency IN ("high", "critical") status_label IN ("Unassigned", "New", "In Progress") NOT `suppression` | lookup notable_xref_lookup event_id OUTPUT xref_id AS ID | table search_name ID _time `text_block_fields_default`  If I transpose this, I get the first table I posted. In the macro `text_block_fields_default` are interesting fields to include in the report like "action, app, dest, src, etc". So the solution shouldn't be dependent on column names. I already have this query which generates the text block for 1 specific notable: `notable` | search event_id="BAAAD325-8391-4075-81A2-AB145A1FA2FB@@notable@@80497c055c45b92d73bd74e700c1b6f9" | lookup notable_xref_lookup event_id OUTPUT xref_id AS ID | table search_name ID _time `text_block_fields_default` | `ctime(_time)` | rename _time as time | transpose include_empty=False column_name=text_block | eval row 1=mvjoin('row 1',",") | eval text_block=if(text_block="search_name","* ",text_block.": "),text_block=replace(text_block,"(.{21}).*","\1") | eval text_block=text_block . 'row 1' | append [| makeresults | eval text_block="--> " ] | table text_block  Thanks in advance for your help! ... View more