Tested the rex and substr, which works perfect. The abstract giving some troubles, will check it again. https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Abstract |makeresults
| eval samplelog="h1 #_\"he$$llohibye"
| rex field=samplelog "^(?P<EightCharsRex>........)"
| eval EightCharsSubStr=substr(samplelog,1,8)
```| abstract maxterms=9 maxlines=1```
| table samplelog EightCharsRex EightCharsSubStr this produces this result: samplelog EightCharsRex EightCharsSubStr
h1 #_"he$$llohibye h1 #_"he h1 #_"he
... View more