This is an interesting use case. Here is an idea based on @ITWhisperer's prototype. `notable`
| search urgency IN ("high", "critical") status_label IN ("Unassigned", "New", "In Progress") NOT `suppression`
| lookup notable_xref_lookup event_id OUTPUT xref_id AS ID
| foreach search_name ID _time `text_block_fields_default`
[eval row = mvappend(row, json_object("name", "<<FIELD>>", "value", <<FIELD>>))]
| table row
| mvexpand row
| eval column = json_extract(row, "name"), new_row = json_extract(row, "value")
| fields - row (JSON functions requires 8.1 or higher. The same can be achieved using the traditional string concatenation method.) Using this mock data search_name ID _time bar foo UC-315 7zAt/7 13:27:17 bar1 foo1 UC-231 5Dfxdf 13:27:17 bar2 foo2 output will be: (bar, foo, of course, represents `text_block_fields_default`) column new_row search_name UC-315 ID 7zAt/7 _time 13:27:17 bar bar1 foo foo1 search_name UC-231 ID 5Dfxdf _time 13:27:17 bar bar2 foo foo2 Here is the full emulation | makeresults format=csv data="search_name, ID, _time, foo, bar
UC-315, 7zAt/7, 13:27:17, foo1, bar1
UC-231, 5Dfxdf, 13:27:17, foo2, bar2"
| table search_name ID _time *
``` the above emulates
`notable`
| search urgency IN ("high", "critical") status_label IN ("Unassigned", "New", "In Progress") NOT `suppression`
| lookup notable_xref_lookup event_id OUTPUT xref_id AS ID
```
| foreach search_name ID _time * ``` * represents `text_block_fields_default` ```
[eval row = mvappend(row, json_object("name", "<<FIELD>>", "value", <<FIELD>>))]
| table row
| mvexpand row
| eval column = json_extract(row, "name"), new_row = json_extract(row, "value")
| fields - row
... View more