With this search
index=useradmin sourcetype=role_capabilities
| eval capabilities=replace(capabilities,"\s",",")
| makemv delim="," capabilities
| table role capabilities
I expected a result like
role1 capability1
role1 capabiltity2
role1 capabitity3
role 2 capability1
instead I get
role 1 capabilty1
capabilty2
capabilty3
role 2 capability1
Probably my expectations of makemv are not correct but I can't find another command to make this work.
The reason I want it in this way is to get layout of the print of the dashboard I use this with properly.
