https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401580#M116229 <P>The amx value is showing continuesly and the total_lag is showing the same repeated value for each lag and partition_name</P> <P>I want this <BR /> Topic_name total_lag partition_number lag<BR /> amx 240. 0. 20<BR /> 1. 30</P> Tue, 29 Sep 2020 20:08:25 GMT pswalia06 2020-09-29T20:08:25Z https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401578#M116227 <PRE><CODE>{"topic": "amx", "total_lag": 2670, "partitions": [{"lag": 117, "partition_number": 0}, {"lag": 122, "partition_number": 1}, {"lag": 130, "partition_number": 2}, {"lag": 130, "partition_number": 3}, {"lag": 148, "partition_number": 4}, {"lag": 144, "partition_number": 5}, {"lag": 158, "partition_number": 6}, {"lag": 130, "partition_number": 7}, {"lag": 123, "partition_number": 8}, {"lag": 145, "partition_number": 9}, {"lag": 130, "partition_number": 10}, {"lag": 127, "partition_number": 11}, {"lag": 123, "partition_number": 12}, {"lag": 121, "partition_number": 13}, {"lag": 118, "partition_number": 14}, {"lag": 125, "partition_number": 15}, {"lag": 133, "partition_number": 16}, {"lag": 161, "partition_number": 17}, {"lag": 134, "partition_number": 18}, {"lag": 151, "partition_number": 19}]} index=orion-platform source="/opt/bda/logs/kafkalag.log" |spath output=AA path=counterList{1} | rex field=AA "\"lag\":\s(?.\w+)\,\s\"partition_number\"\:\s(?\d+)\}" max_match=100 | table State1,partition_number </CODE></PRE> <P>Above command not working in splunk search.</P> Fri, 22 Jun 2018 14:54:33 GMT https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401578#M116227 pswalia06 2018-06-22T14:54:33Z https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401579#M116228 <P>Hi</P> <P>Can you please try the following search? I haven't used any regular expression but it will give you all the data from JSON event.</P> <PRE><CODE>YOUR_SEARCH | | rename partitions{}.lag as lag, partitions{}.partition_number as partition_number | eval temp = mvzip(lag,partition_number) | stats count by _time total_lag,topic,temp | eval lag = mvindex(split(temp,","),0) ,partition_number=mvindex(split(temp,","),1) | table topic total_lag lag partition_number </CODE></PRE> <P><STRONG>My Sample Search:</STRONG></P> <PRE><CODE>| makeresults | eval _raw="{\"topic\": \"amx\", \"total_lag\": 2670, \"partitions\": [{\"lag\": 117, \"partition_number\": 0}, {\"lag\": 122, \"partition_number\": 1}, {\"lag\": 130, \"partition_number\": 2}, {\"lag\": 130, \"partition_number\": 3}, {\"lag\": 148, \"partition_number\": 4}, {\"lag\": 144, \"partition_number\": 5}, {\"lag\": 158, \"partition_number\": 6}, {\"lag\": 130, \"partition_number\": 7}, {\"lag\": 123, \"partition_number\": 8}, {\"lag\": 145, \"partition_number\": 9}, {\"lag\": 130, \"partition_number\": 10}, {\"lag\": 127, \"partition_number\": 11}, {\"lag\": 123, \"partition_number\": 12}, {\"lag\": 121, \"partition_number\": 13}, {\"lag\": 118, \"partition_number\": 14}, {\"lag\": 125, \"partition_number\": 15}, {\"lag\": 133, \"partition_number\": 16}, {\"lag\": 161, \"partition_number\": 17}, {\"lag\": 134, \"partition_number\": 18}, {\"lag\": 151, \"partition_number\": 19}]}" | kv | rename partitions{}.lag as lag, partitions{}.partition_number as partition_number | eval temp = mvzip(lag,partition_number) | stats count by _time total_lag,topic,temp | eval lag = mvindex(split(temp,","),0) ,partition_number=mvindex(split(temp,","),1) | table topic total_lag lag partition_number </CODE></PRE> <P>Please let me know if assistance required.</P> <P>Thanks</P> Fri, 22 Jun 2018 15:52:22 GMT https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401579#M116228 kamlesh_vaghela 2018-06-22T15:52:22Z https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401580#M116229 <P>The amx value is showing continuesly and the total_lag is showing the same repeated value for each lag and partition_name</P> <P>I want this <BR /> Topic_name total_lag partition_number lag<BR /> amx 240. 0. 20<BR /> 1. 30</P> Tue, 29 Sep 2020 20:08:25 GMT https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401580#M116229 pswalia06 2020-09-29T20:08:25Z https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401581#M116230 <P>@pswalia06</P> <P>Are you looking for this?</P> <PRE><CODE>| makeresults | eval _raw="{\"topic\": \"amx\", \"total_lag\": 2670, \"partitions\": [{\"lag\": 117, \"partition_number\": 0}, {\"lag\": 122, \"partition_number\": 1}, {\"lag\": 130, \"partition_number\": 2}, {\"lag\": 130, \"partition_number\": 3}, {\"lag\": 148, \"partition_number\": 4}, {\"lag\": 144, \"partition_number\": 5}, {\"lag\": 158, \"partition_number\": 6}, {\"lag\": 130, \"partition_number\": 7}, {\"lag\": 123, \"partition_number\": 8}, {\"lag\": 145, \"partition_number\": 9}, {\"lag\": 130, \"partition_number\": 10}, {\"lag\": 127, \"partition_number\": 11}, {\"lag\": 123, \"partition_number\": 12}, {\"lag\": 121, \"partition_number\": 13}, {\"lag\": 118, \"partition_number\": 14}, {\"lag\": 125, \"partition_number\": 15}, {\"lag\": 133, \"partition_number\": 16}, {\"lag\": 161, \"partition_number\": 17}, {\"lag\": 134, \"partition_number\": 18}, {\"lag\": 151, \"partition_number\": 19}]}" | kv | rename partitions{}.lag as lag, partitions{}.partition_number as partition_number | table topic total_lag partition_number lag </CODE></PRE> Fri, 22 Jun 2018 16:58:42 GMT https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401581#M116230 kamlesh_vaghela 2018-06-22T16:58:42Z https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401582#M116231 <P>Is there a way to convert this feed to a json format? It's pretty close....</P> Fri, 22 Jun 2018 18:31:34 GMT https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401582#M116231 ddrillic 2018-06-22T18:31:34Z https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401583#M116232 <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5261i38E2D5D0BC1A1C98/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Here i have one more problem. If you see the below table topic name it is amx and amx1 but when i do line charts instead of showing two lines one for amx and one for amx1 it is showing only one line. How can we separate them?</P> Sat, 23 Jun 2018 01:28:01 GMT https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401583#M116232 pswalia06 2018-06-23T01:28:01Z https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401584#M116233 <P>it is json format only</P> Sun, 24 Jun 2018 05:00:27 GMT https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401584#M116233 pswalia06 2018-06-24T05:00:27Z https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401585#M116234 <P>HI <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/107560">@pswalia06</a>,</P> <P>Can you please try the following search?</P> <P>YOUR_SEARCH<BR /> |kv<BR /> | rename partitions{}.lag as lag, partitions{}.partition_number as partition_number<BR /> | timechart latest(total_lag) as total_lag by topic</P> Tue, 29 Sep 2020 20:08:52 GMT https://community.splunk.com/t5/Splunk-Search/Kafka-regex-Why-is-the-command-not-working-in-Splunk-search/m-p/401585#M116234 kamlesh_vaghela 2020-09-29T20:08:52Z