MV-table
Custom command to generate table from multivalue events
example for wsus data:
| mvtable mvfields='kbnumber,arrival_date' keepfields='host,OS,_time' | table *
mvfields: fields containing several values, cardinality of the first field in the list is assumed to be the desired number of output rows. keepfields: specify the single value fields to be retained on each resulting row.
Example from the screenshot:
| makeresults | eval kbnumber='1234 5678 9012' | eval arrival_date='2019.05.17 2019.05.17 2019.05.17 2019.05.17' | eval host='test' | eval OS='Windows 10'
| eval kbnumber=split(kbnumber,' ') | eval arrival_date=split(arrival_date,' ')
| mvtable mvfields='kbnumber,arrival_date' keepfields='host,OS,_time' | table *
