Splunk Search

result of makemv not as expected

rrovers
Contributor

With this search

index=useradmin sourcetype=role_capabilities
| eval capabilities=replace(capabilities,"\s",",")
| makemv delim="," capabilities
| table role capabilities

I expected a result like

role1 capability1

role1 capabiltity2

role1 capabitity3

role 2 capability1

instead I get

role 1 capabilty1

            capabilty2

            capabilty3

role 2 capability1

Probably my expectations of makemv are not correct but I can't find another command to make this work.

The reason I want it in this way is to get layout of the print of the dashboard I use this with properly.

 

 

Labels (2)
0 Karma
1 Solution

493669
Super Champion

@rrovers try using mvexpand comand on your results set-

...|mvexpand capabilities

View solution in original post

rrovers
Contributor

@493669, thanks, that's what I was looking for

0 Karma

493669
Super Champion

@rrovers  Please accept it as solution to help future readers as well.

0 Karma

493669
Super Champion

@rrovers try using mvexpand comand on your results set-

...|mvexpand capabilities
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...