https://community.splunk.com/t5/Splunk-Search/Remove-last-values-of-a-field-result/m-p/353905#M170158 <P>following are the output of a filed</P> <P>file=a.csv<BR /> file=a1.csv<BR /> file=a2.csv<BR /> file=b.csv<BR /> file=b1.csv</P> <P>What i required is while executing |stats count by file i need following result<BR /> a=3 and b=2<BR /> is there any way to get this result</P> Fri, 20 Apr 2018 17:15:59 GMT n4niyaz 2018-04-20T17:15:59Z https://community.splunk.com/t5/Splunk-Search/Remove-last-values-of-a-field-result/m-p/353905#M170158 <P>following are the output of a filed</P> <P>file=a.csv<BR /> file=a1.csv<BR /> file=a2.csv<BR /> file=b.csv<BR /> file=b1.csv</P> <P>What i required is while executing |stats count by file i need following result<BR /> a=3 and b=2<BR /> is there any way to get this result</P> Fri, 20 Apr 2018 17:15:59 GMT https://community.splunk.com/t5/Splunk-Search/Remove-last-values-of-a-field-result/m-p/353905#M170158 n4niyaz 2018-04-20T17:15:59Z https://community.splunk.com/t5/Splunk-Search/Remove-last-values-of-a-field-result/m-p/353906#M170159 <P>You can use this to get the first character of the file name:</P> <PRE><CODE>| eval file=substr(file,0,1) </CODE></PRE> <P>So insert that directly before your call to</P> <PRE><CODE>| stats count by file </CODE></PRE> <P>and you should get the desired result.</P> Fri, 20 Apr 2018 17:51:55 GMT https://community.splunk.com/t5/Splunk-Search/Remove-last-values-of-a-field-result/m-p/353906#M170159 elliotproebstel 2018-04-20T17:51:55Z https://community.splunk.com/t5/Splunk-Search/Remove-last-values-of-a-field-result/m-p/353907#M170160 <P>above looking good but suppose if the the field name contains date and time like below</P> <P>file=a_2017-09-16_12:00:00.csv<BR /> file=a_2017-09-17_12:00:00.csv<BR /> file=b.csv<BR /> file=b1.csv<BR /> file=b_2017-09-17_12:00:00.csv</P> <P>|stats count by file gives a=2 and b=2 and b1 =1</P> <P>Can i get this result using regex</P> Tue, 29 Sep 2020 19:10:57 GMT https://community.splunk.com/t5/Splunk-Search/Remove-last-values-of-a-field-result/m-p/353907#M170160 n4niyaz 2020-09-29T19:10:57Z https://community.splunk.com/t5/Splunk-Search/Remove-last-values-of-a-field-result/m-p/353908#M170161 <P>Sure. If you want the category of file to be "everything that comes before either a period or an underscore", then this will work:</P> <PRE><CODE>|rex mode=sed field=file "s/([^_\.]+)(.*)/\1/" </CODE></PRE> Fri, 20 Apr 2018 18:47:46 GMT https://community.splunk.com/t5/Splunk-Search/Remove-last-values-of-a-field-result/m-p/353908#M170161 elliotproebstel 2018-04-20T18:47:46Z https://community.splunk.com/t5/Splunk-Search/Remove-last-values-of-a-field-result/m-p/353909#M170162 <P>Thanks @elliotproebstel I used mvindex(split) command so it works fine ie</P> <P>|eval test=mvindex(split(file,_201),0) so i get the result now.</P> Sat, 21 Apr 2018 17:52:32 GMT https://community.splunk.com/t5/Splunk-Search/Remove-last-values-of-a-field-result/m-p/353909#M170162 n4niyaz 2018-04-21T17:52:32Z