https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451656#M191252 <P>It worked!!!!!!! Thank you!!!!!</P> Thu, 15 Aug 2019 18:08:26 GMT reverse 2019-08-15T18:08:26Z https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451650#M191246 <P>Lets say .. My result would produce </P> <PRE><CODE>a.log a.log.1 a.log.2 a.log.3 b.log b.log.1 b.log.2 b.log.3 c.log c.log.1 c.log.2 c.log.3 </CODE></PRE> <P>I want the final result as </P> <PRE><CODE>a.log b.log c.log </CODE></PRE> <P>Thoughts ?</P> Thu, 15 Aug 2019 17:19:15 GMT https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451650#M191246 reverse 2019-08-15T17:19:15Z https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451651#M191247 <P>are these fields or values?</P> Thu, 15 Aug 2019 17:21:43 GMT https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451651#M191247 mayurr98 2019-08-15T17:21:43Z https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451652#M191248 <P>@mayurr98 · these are values</P> Thu, 15 Aug 2019 17:22:11 GMT https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451652#M191248 reverse 2019-08-15T17:22:11Z https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451653#M191249 <P>Try this run anywhere search</P> <PRE><CODE>| makeresults | eval field1="a.log a.log1 a.log2 a.log3 " | makemv field1 | mvexpand field1 | appendcols [| makeresults | eval field2="b.log b.log1 b.log2 b.log3 " | makemv field2 | mvexpand field2] | replace a.log* WITH a.log IN field1 | replace b.log* WITH b.log IN field2 </CODE></PRE> <P>Try </P> <P><CODE>| replace a.log* WITH a.log IN fieldname| replace b.log* WITH b.log IN fieldname | so on</CODE></P> <P>replace documentation:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Replace">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Replace</A></P> <P>OR another way is </P> <PRE><CODE>|eval field1=replace(field1,"(a.log).*","\1"), field2=replace(field2,"(b.log).*","\1"), so on </CODE></PRE> Thu, 15 Aug 2019 17:27:13 GMT https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451653#M191249 mayurr98 2019-08-15T17:27:13Z https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451654#M191250 <P>but this wont help as there are 70 varieties of logs </P> Thu, 15 Aug 2019 17:38:50 GMT https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451654#M191250 reverse 2019-08-15T17:38:50Z https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451655#M191251 <P>Try something like this..</P> <PRE><CODE>| makeresults | eval field1="a.log a.log1 a.log2 a.log3 " | makemv field1 | mvexpand field1 | appendcols [| makeresults | eval field2="b.log b.log1 b.log2 b.log3 " | makemv field2 | mvexpand field2] | table field1 field2| foreach field* [eval &lt;&lt;FIELD&gt;&gt;=replace(&lt;&lt;FIELD&gt;&gt;,"^(\w+)(.log).*","\1\2")] </CODE></PRE> <P>This will do for each and every fields<CODE>field*</CODE> </P> <P><CODE>| foreach field* [eval &lt;&lt;FIELD&gt;&gt;=replace(&lt;&lt;FIELD&gt;&gt;,"^(\w+)(.log).*","\1\2")]</CODE></P> Thu, 15 Aug 2019 18:01:53 GMT https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451655#M191251 mayurr98 2019-08-15T18:01:53Z https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451656#M191252 <P>It worked!!!!!!! Thank you!!!!!</P> Thu, 15 Aug 2019 18:08:26 GMT https://community.splunk.com/t5/Splunk-Search/distinct-first-n-characters-of-string/m-p/451656#M191252 reverse 2019-08-15T18:08:26Z