Note that this solution assumes the length of your user names are identical.

Haha, right now it is like "Give them a finger, and they'll take the whole hand" situation for me :).

Thanks for this, not working right now, maybe because user names are of different length

One question - why is the length of user name a factor? Asking because in my case I will have usernames with different length

@pushpender07 -

That method will spackle the different values together on one line. If they don't have the same length, then it would look wonky. Here's run-anywhere code to prove that it works as written -

 | makeresults 
 | eval mydata="Region1@ABC,BCD,CDE,FEF Region2@XYZ,MNO,PQR Region3@123,456,789,234,345,678,910"
 | makemv mydata 
 | mvexpand mydata 
 | eval region=mvindex(split(mydata,"@"),0) 
 | eval user=mvindex(split(mydata,"@"),1)
 | makemv delim="," user 
 | mvexpand user  
 | table user region
 | rename COMMENT as "above just creates test data"

 | stats values(user) as user, dc(user) as usercount by region
 | eval region = region." (".usercount.")"
 | fields - usercount
 | mvexpand user
 | streamstats count as reguserno by region
 | eval reguserno=reguserno%3
 | stats values(user) as user by region reguserno 
 | nomv user
 | stats values(user) as user by region 
 | transpose header_field=region 
 | fields - column

Splunk doesn't like leaving spaces between items. It is possible to do, but unfortunately, the interface does not present the results in a fixed-width font anyway, so "columnizing" results internal to a field isn't really an option.

Here's a version that will create multiple columns for each region, and will go beyond 3 vertically (MaxColLength) if a MaxColLength of 3 would push the number of horizontal columns for a single region to more than 3

 | stats values(user) as user, dc(user) as usercount by region
 | eventstats max(usercount) as maxusers
 | eval region = region." (".usercount.")"
 | eval MaxColLength=if(maxusers<9,3, ceiling(maxusers/3))
 | fields - usercount maxusers
 | mvexpand user
 | streamstats count as reguserno by region
 | eval reguserno=floor((reguserno+MaxColLength-1)/MaxColLength) 
 | stats values(user) as user by region reguserno 
 | eval region = region.substr("          ",1,reguserno)
 | fields - reguserno
 | transpose 0 header_field=region
 | fields - column

Note - I just can't stop giving cookies to that mouse, can I?

Note - I just can't stop giving cookies to that mouse, can I? - Haha, thanks a lot. Cookies are much appreciated. This works for me, thanks a ton.

I will try to merge the region name as in this case the region name is repeated in the column.

@pushpender07 - sorry, that's a glass of milk I don't have. There ought to be a way to make the column headings after the first one disappear, but I couldn't find a way that didn't require a straw, and then a napkin, and then eventually starting over with a moose.

haha, thanks :). will post if I am able to do so.

Thanks, don't know how to use .css, will find out and check. I might not have the required permissions level.