https://community.splunk.com/t5/Splunk-Search/Grouping-by-a-substring/m-p/349177#M103376 <P>Perfect, thank you!</P> Mon, 19 Jun 2017 12:50:42 GMT R0ss 2017-06-19T12:50:42Z https://community.splunk.com/t5/Splunk-Search/Grouping-by-a-substring/m-p/349175#M103374 <P>Hello,</P> <P>I'm having trouble grouping errors in our Splunk logs. The date and time is appended to the error messages, meaning that every message is unique. For example:</P> <P><STRONG><EM>Message=2017-06-19 09:15:23,825 ERROR - Here is the error message that we would like to group on...</EM></STRONG></P> <P>I would like to ignore the date/time string and group on the text that appears after this. The best I have come up with is as follows:</P> <P><STRONG><EM>Type=Error | eval ErrorString=substr(Message,30,len(Message)) | stats count by ErrorString</EM></STRONG></P> <P>But this search still seems to evaluate as if the date is present in the new ErrorString string (the count is always 1 and ErrorString's are duplicated across rows)</P> <P>Could you help me to write a query that would group the error messages and ignore the date/time.</P> <P>Thanks,<BR /> Ross</P> Mon, 19 Jun 2017 09:04:59 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-by-a-substring/m-p/349175#M103374 R0ss 2017-06-19T09:04:59Z https://community.splunk.com/t5/Splunk-Search/Grouping-by-a-substring/m-p/349176#M103375 <P>You can extract the string at the end and use it in the grouping -</P> <PRE><CODE>&lt;your search&gt; | rex field=Message "(?&lt;ErrorString&gt;ERROR.+)" | stats count by ErrorString </CODE></PRE> Mon, 19 Jun 2017 11:43:31 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-by-a-substring/m-p/349176#M103375 dineshraj9 2017-06-19T11:43:31Z https://community.splunk.com/t5/Splunk-Search/Grouping-by-a-substring/m-p/349177#M103376 <P>Perfect, thank you!</P> Mon, 19 Jun 2017 12:50:42 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-by-a-substring/m-p/349177#M103376 R0ss 2017-06-19T12:50:42Z