- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Grouping data having 1 key and multiple values , ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Grouping data having 1 key and multiple values , which are grouped with the same 'group'
I have the following mentioned data, where I want to group the data as per group. One group can have Topic details/multiple owner details/ Partition/LAG.
Time Event
8/11/19
4:06:33.000 PM
{ [-]
Data: [ [-]
{ [-]
currentOffset: 6133
group: data_testing
lag: 0
logEndOffset: 6133
owner: data_testing_aws-us-east-1-0
partition: 6
topic: data_testing
}
{ [-]
currentOffset: 1
group: data1_testing
lag: 0
logEndOffset: 1
owner: MGMT_POP_stag_aws-us-east-1-0
partition: 6
topic: data1_testing_test
}
{ [-]
currentOffset: 555846
group: data_testing
lag: -98
logEndOffset: 555748
owner: data_testing_aws-us-east-1-6
partition: 6
topic: data_testing_1
}
...
...
}
My table should look like below where it has to be grouped by 'Group'
**Group Topic Partition LAG owner
data_testing data_testing 0 0 data_testing_aws-us-east-1-0
data_testing data_testing 1 1 data_testing_aws-us-east-1-1
...
...
data_testing data_testing 7 0 data_testing_aws-us-east-1-7**
data1_testing data1_testing 0 1 data1_testing_aws-us-east-1-0
data1_testing data1_testing 1 0 data1_testing_aws-us-east-1-1
...
...
data1_testing data1_testing 7 0 data1_testing_aws-us-east-1-7
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @qwer007
From the sample data you have provided, all partition values are 6, from where do you get its values as 0,1 &7?
| makeresults
| eval payload=" { [-]
currentOffset: 6133
group: data_testing
lag: 0
logEndOffset: 6133
owner: data_testing_aws-us-east-1-0
partition: 6
topic: data_testing
}
{ [-]
currentOffset: 1
group: data1_testing
lag: 0
logEndOffset: 1
owner: MGMT_POP_stag_aws-us-east-1-0
partition: 6
topic: data1_testing_test
}
{ [-]
currentOffset: 555846
group: data_testing
lag: -98
logEndOffset: 555748
owner: data_testing_aws-us-east-1-6
partition: 6
topic: data_testing_1
}"
| rex field=payload "group:(?<group>.*)" max_match=0
| rex field=payload "topic:(?<topic>.*)" max_match=0
| rex field=payload "partition:(?<partition>.*)" max_match=0
| fields group,topic,partition
| fields - _time
| eval mv=mvzip(mvzip(group,topic,"*"),partition,"|")
| mvexpand mv
| rex field=mv "(?<group>.*?)\*" max_match=0
| rex field=mv "\*(?<topic>.*?)\|" max_match=0
| rex field=mv "\|(?<partition>.*)" max_match=0
Try the below query out, I have attempted to extract values for group, topic and partition. Let me know if this is closer to your requirement
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @qwer007
Please let us know if your issue has been resolved and accept the answer if it significantly helped your resolution. Do not forget to add additional resolution details for the benefit of other form members.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
