Hey @sudosplunk ,
I have used the below mentioned query. It's a simple index based search. You can see in the query that there's a field named "Class" in my event logs and while i created the table i have changed the name of the field to "Vulnerability". this field have different values (name of vulnerabilities). But in the table, it's showing value "Class" which is the actual name of the field.
index=whitehat (id!=51587833 AND id!=51587836 AND id!=51587841 AND id!=51587851 AND id!=51587855 AND id!=51587869 AND id!=51589034 AND id!=51589041 AND id!=51589056 AND id!=51589063)| where isnotnull(id) |rex field=_raw "<tags><tag>(?<ifreported>[^\<]+)<\/tag><\/tags>"|eval closed_date = strptime('closed', "%Y-%m-%dT%H:%M:%SZ") |eval opened_date = strptime('opened', "%Y-%m-%dT%H:%M:%SZ") | eval first_opened = strptime('first_opened', "%Y-%m-%dT%H:%M:%SZ")| stats values(status) as status1, values(opened_date) as odate, values(closed_date) as cdate, values(opened) as Opened_on, values(risk) as risk, values(class) as Vulnerability, latest(ifreported) as Ticket, values(site_name) as site by id | eval omdate=mvindex(odate,-1) | eval cmdate=mvindex(cdate,-1) | eval Open=mvindex(Opened_on,-1)|where (omdate>cmdate) OR (isnull(cmdate)) | search risk IN (5,4) | table id,Ticket,site,Vulnerability,risk,Open | sort - risk | rename id as "Vulnerability ID", Ticket as "RF Ticket",site as "Application",risk as "Severity", Open as "Open Since" | replace "5" with "Critical" in Severity| replace "4" with "High" in Severity | fillnull value="RF ticket not found" "RF Ticket"
And this issue is only observed for one user while all other users (with same permission) can see the value of vulnerability on this Vulnerability column.
... View more