Thank you!. The key for solving this was the rename command to _raw! But I have to remove the old fields completley - otherwise the table output (| table *  ---needed to display a stastic table ) will display ALL fields, _time, host, sourcetype, old_index etc. I added just before the split-command: | table tab_res | fields tab_res   ... View more

Background: I like to store the output of a table crypted into another index. example search from  user-1: ... | table user,host,_time,eventcode, status | 'macro X' example search from user-2: | table severity,proc,username,dest, source_ip | 'macro X' example search from user-3: | table date_minute,host,index | 'macro X' user-3 search creates this before the macro call: date_minute   host   index   34             h_a    prod 39             h_b    prod 44             h_c    prod macro X: | .... /|  now converting output of table into json field (thanks to this forum!) | appendpipe     [      | eventstats count as r_ev      | foreach *         [ | eval jsonmv_ = if("<<FIELD>>" == "r_ev",jsonmv_ , mvappend(jsonmv_,"'<<MATCHSTR>>':'" + <<FIELD>> + "'")  ) ]       | eval json_result = "{" + mvjoin(jsonmv_,",") + "}"       | fields - jsonmv_       | stats values(json_result) AS table_result by r_ev       /## here the field "table_result"  for user-3 is a long string:    {date_minute:34,host:h_a,index:prod} {date_minute:39,host:h_b,index:prod} {date_minute:44,host:h_c:index:prod}   /       /| ##crypting the table_result ->output field is table_result_crypted/       | table some_fiels , table_result_crypted       | collect index=XXX  ]        Now I have the result of the user search from the user-1 or user-2 as a json-field crypted in another index. In a dashboard I like to have a table as the user-1 or user-2  or user-3 had: in the beginning: index=XXX | /####decrypting the field into field "tab_res" : I have the same field content as table_result above / | /##removing {} / | rex mode=sed field=tab_res "s/}//g" | rex mode=sed field=tab_res "s/{//g" | eval fields=split(tab_res," ") | mvexpand fields |  table fields ---> here I have a table with 3rows, 1 column: date_minute:34,host:h_a,index:prod date_minute:39,host:h_b,index:prod date_minute:44,host:h_c:index:prod but I need to split in a dynamic way the rows into columns not knowing how much fields or lines I will have. Nice would be to have something like this pseudo-code: | split_into_columns delim=","  "header:cell_content" Output date_minute   host   index   34             h_a    prod 39             h_b    prod 44             h_c    prod I tried to split at delim "," (did not work!) and transpose the table.....not working.... ... View more

to clarify: it is not a normal output whith known fields and number of fields. the fields are dynamicly created from a different search. The result of this search is pasted to through a macro, done some work on the fields. Now I have the table with one column and an unkown/dynamic amount of fields and names. So I cannot be sure about the amount of fields or the names. I tried with mv-operations, transpose or split operations but get stuck.   ... View more

same here  please see https://community.splunk.com/t5/Splunk-Cloud-Platform/Bug-PDF-Export-no-longer-exports-Pie-Charts-with-percentage/m-p/621292#M1894 ... View more

facing the same problem and removing the option line in the xml did not solve this problem. SplunkVersion 8.2.4 ... View more