Hello all,

I've been trying to do the following for hours and seems like I need some assistance. We have a bunch of software versions in Splunk that we'd like to group by parent->child versioning. For example, I'd like my data to be grouped as shown below. If the value on the left side of the period matches, then they would be grouped together, regardless of the value on the left side of the . . Any grouped results that don't have at least 1 parent/child event would be ignored from the results.

Valid Results - how I'd like the data to be organized/grouped

Version             LastSeen
master              03/01/2016
    master.1        01/01/2016
    master.2        01/01/2016
    master.3        01/01/2016
deploy              03/01/2016
    deploy.001      01/01/2016
    deploy.1        01/01/2016
    deploy.2        01/01/2016
stage               03/01/2016
    stage.2         01/01/2016
    stage.3         01/01/2016

*Should be ignored because they don't have . subEvents - for example preDeploy.1, postDeploy.1 etc.. *

preDeploy             03/01/2016
postDeploy            03/01/2016
devBeta               03/01/2016

Full list of events

master          03/01/2016  01/02/2016
master.1        01/01/2016  01/02/2016
master.2        01/01/2016  01/02/2016
master.3        01/01/2016  01/02/2016
deploy          03/01/2016  01/02/2016
deploy.001      01/01/2016  01/02/2016
deploy.1        01/01/2016  01/02/2016
deploy.2        01/01/2016  01/02/2016
stage           03/01/2016  01/02/2016  
stage.2         01/01/2016    01/02/2016
stage.3         01/01/2016    01/02/2016
preDeploy       03/01/2016  01/02/2016
postDeploy      03/01/2016  01/02/2016  
devBeta         03/01/2016  01/02/2016
xrtBeta      03/01/2016 01/02/2016