Generally, I want to transform: "sort_index" "89080_10.9.2.0" "89090_10.9.1.0" "89150_10.8.5.0" ... into: "sort_index" "10.9.2.0" "10.9.1.0" "10.8.5.0" In all, I want to remove anything before character "_". I have tried so many rex, wildcard expressions but nothing worked. Like: | rex field=sort_index “\w{5}_(?<sort_index>\S+)” (remove 5 characters before _ ) | rename \d+_* as * | rename \w{5}_* as * Could anyone please help me to solve this problem? How does this problem come from? Originally I created a timechart. As illustrated, the version is lexicon-graphically sorted. I want it (field: version ) to be sorted in reverse order. But | sort -_time, -version simply did not work. So I created a new field named 'sort_index' and sort this new field. In order not to forget 'version', I combine new 'sort_index' with 'version' by adding '_' in the middle. Now it is in the right order: 10.9.2.0 10.9.1.0 10.8.5.0 10.8.2.0 10.7.3.0 10.5.2.0 But I need to remove the prefix created previously. These are the backgrounds why I want to do this work. If you have any better advice to achieve this target, please give me your suggestion. Best, Chenglong
... View more