Sum up all the values using a delimiter when corresponding keys are different

vpuneeth007 — Fri, 11 Dec 2015 06:49:55 GMT

I have Splunk logs as shown in below format from a Kafka server's topic metadata.

Topic#No_Partion#No = [F1,F2,F3]

F1= Produced Message Count to this Topic by a producer group
F2=Consumed Message Count from this Topic by a consumer group
F3=Total lag count between producer and consumer i.e F1-F2

Sample logs:

[11/Dec/2015:04:45:26 +481] Topic1_0=[9,7,2] Topic1_1=[3,2,1] Topic1_2=[6,4,2] Topic1_3=[2,1,1]
[11/Dec/2015:04:45:26 +481] Topic2_0=[5,3,2] Topic2_1=[2,1,1] Topic2_2=[0,0,0] Topic2_3=[1,1,0]

Now I need the sum of message counts of specific Topic from all part-ions
Total messages produced to Topic1 = 20 {9+3+6+2}
Total messages consumed from Topic1 = 14 {7+2+4+1}
Lag count between consumer and producer using Topic1= 6{2+1+2+1}

Can someone help with a Splunk query.

Re: Sum up all the values using a delimiter when corresponding keys are different

sundareshr — Fri, 11 Dec 2015 15:10:08 GMT

Try this

| gentimes start=-1 | eval s="[11/Dec/2015:04:45:26 +481] Topic1_0=[9,7,2] Topic1_1=[3,2,1] Topic1_2=[6,4,2] Topic1_3=[2,1,1]
[11/Dec/2015:04:45:26 +481] Topic2_0=[5,3,2] Topic2_1=[2,1,1] Topic2_2=[0,0,0] Topic2_3=[1,1,0]"
| rex max_match=0 field=s "\]\s(?<top>\w+)_\d=\[(?<prod>\d+),(?<cons>\d+),(?<lag>\d+)" 
| eval z=mvzip(top, prod) | eval z=mvzip(z, cons) | eval z=mvzip(z, lag)
| mvexpand z
| eval t=split(z, ",")
| eval Topic=mvindex(t, 0) | eval prod=mvindex(t, 1) | eval cons=mvindex(t, 2) | eval lag=mvindex(t, 3)
| stats sum(prod) as Produced, sum(cons) as Consumed, sum(lag) as Lag by Topic

topic Re: Sum up all the values using a delimiter when corresponding keys are different in Splunk Search

Sum up all the values using a delimiter when corresponding keys are different

Re: Sum up all the values using a delimiter when corresponding keys are different