this is similar to https://community.splunk.com/t5/Splunk-Search/Merging-with-similar-strings-without-eval/m-p/484972 It works perfect if the difference is at the end of the strings. But I do have some additional strings that are slightly different in the middle. My Current Query Base search | eval Error=message | rex mode=sed "s/(?m)^\s+//g" | rex field=Error mode=sed "s/^((?<Msg>.+)\s)\S+/\1*/" | top 25 Error,file_line,level by build | table build level count file_line Error Error String Example 1: No exception occurred when displaying value for task=inspect entity.name=software propertyKey=keyNameForSomething. Please write a rule * No exception occurred when displaying value for task=inspect entity.name=software propertyKey=keyNameForSomethingElse. Please write a rule * No exception occurred when displaying value for task=inspect entity.name=software propertyKey=keyNameForSomethingElseElse. Please write a rule * Error String Example 2 Locale is null for the language, es with ec, com.EditingContext@1y3y1u3e. Skip this * Locale is null for the language, en with ec, com.ITEditingContext@2y5f3u3e. Skip this * --- I would hope my output to be the following or similar: Count, Error 3, No exception occurred when displaying value for task=inspect entity.name=software propertyKey=*. Please write a rule * 2, Locale is null for the language, *
... View more