This is a little tricky to explain but I have this query:
index = active_directory directReports=* sAMAccountName=*
| rex field=directReports max_match=0 "CN=(?<memberOf>[^,]+)"
| rex field=memberOf mode=sed "s/\./ /g"
| rename sAMAccountName as Manager memberOf as Employee
| table Manager Employee
This displays as manager in column 1 and lists employees in column 2 :
How can I unlist the employees as separate rows as follows
Manager employee
Manager employee
Manager employee
Manager employee
TIA
