Hi .. thanks for the reply. i dont know where i am missing. its not working for me.

for instance...

| foreach *.stackTrace [| eval <<FIELD>> = "hello"]
| stats latest(field1.field2.x.x.stackTrace) as stacktrace by fieldN.msg

hello is not getting printed

.........

but when i give 

| foreach field1.field2.x.x.stackTrace [| eval <<FIELD>> = "hello"]
| stats latest(field1.field2.x.x.stackTrace) as stacktrace by fieldN.msg

hello is getting displayed 

Thanks for helping me .

I am getting NA for all events.. but if i use coalesce('field1.field2.x.stacktrace{} ', 'field1.field2.x.x.stacktrace{}', 'field1.field2.x.x.x.stacktrace{}') i am getting the stacktrace .. but i thought it would be great if i loop through and find the stacktrace at different levels because stacktrace might be in some other level as well 

Hi. What is <<field>> in the answer. And how to get only first 2 or 3 lines from that stacktrace

<<FIELD>> comes from the foreach command (see the documentation as directed earlier)

Not sure what the ask is here - does the stacktrace field already hold the whole trace and you want to trim it to just a couple of lines, or something else?

Hi, in my case the stacktrace is a array containing multiple lines containing the stacktraced..

{ 

   a: { 

        app: xxx     

   }

   Log: { 

     level: fatal

     msge: err msg

   Y: { 

       Zz: { 

         Zz: { 

         }

         stackTrace: [ ggggggggggggg

jijii

kjjoijo

kjkjlkjlj

         ]

       }

              stackTrace: [     

line1       

line2

line3   

line4                                           

       ]

     }

       }

}

stacktrace may/maynot be available in events. if available it is available in different level and i need to get the 1st 2 or 3 lines and display the latest stacktrace and the latest timestamp of event which is grouped based on app

If stackTrace is a multivalue field, use mvindex

| eval shortstack=mvindex(stackTrace,0,1)

Yes. If the returned stacktrace has complete stacktrace and just need to trim 1st 2 or 3 lines.. 

| rex field=stacktrace (?<stacktrace>.+\n.+)

Thanks for your reply.  could you kindly explain what it is doing, so i can understand what it is doing

your current search before stats
| eval stacktrace=null() 
##Created stacktrace field with initial null() value.##
| foreach *.stacktrace [| eval stacktrace=coalesce('<<FIELD>>', stacktrace) ]
## Loop through all *.stacktrace fields that are available at different level,e.g field.x.stacktrace, field.y.z.stacktrace etc, and take the last not-null value and store it in stacktrace field. If you want to take first not-null value, reverse the position of stacktrace. i.e. | eval stacktrace=coalesce(stacktrace, '<<FIELD>>')##
| eval stacktrace=coalesce(stacktrace,"NA")
## if stacktrace value is still null after the loop, means no other *.stacktrace field has value, use "NA" as default value.
| stats count(fieldN.msg) , latest(field.time) latest(stacktrace) as stacktrace by fieldN.msg

sorry.what should i add in place of 

<<FIELD>>

That has to be used as is. The '<<FIELD>>' is placeholder literal string for foreach command. Think of it as loop variable or token.

https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Foreach