Hi @anisgupt ,
Please try below query and let me know if it helps:
| makeresults
| eval CN="cn1", Lev="1", ref1="1", ref2="2", ref3="3", ref4="4", ref5="", ref6=""
| append
[| makeresults
| eval CN="cn2", Lev="2", ref1="", ref2="", ref3="", ref4="", ref5="5", ref6="6" ]
| eval cr=mvzip(CN,Lev,"-")
| fields - _time Lev CN
| untable cr Ref Count
| rex field=cr "(?P<CN>[^\,].+)-(?P<Lev>.+)"
| table CN Lev Ref Count| where Count>0
