All Apps and Add-ons

Grouping data having 1 key and multiple values , which are grouped with the same 'group'

qwer007
New Member

I have the following mentioned data, where I want to group the data as per group. One group can have Topic details/multiple owner details/ Partition/LAG.

Time    Event
8/11/19
4:06:33.000 PM  
{   [-] 
     Data:  [   [-] 
        {   [-] 
         currentOffset:  6133   
         group:  data_testing   
         lag:    0  
         logEndOffset:   6133   
         owner:  data_testing_aws-us-east-1-0   
         partition:  6  
         topic:  data_testing   
        }   
        {   [-] 
         currentOffset:  1  
         group:  data1_testing
         lag:    0  
         logEndOffset:   1  
         owner:  MGMT_POP_stag_aws-us-east-1-0  
         partition:  6  
         topic:  data1_testing_test 
        }   
        {   [-] 
         currentOffset:  555846 
         group:  data_testing   
         lag:    -98    
         logEndOffset:   555748 
         owner:  data_testing_aws-us-east-1-6   
         partition:  6  
         topic:  data_testing_1
         }
    ...
        ...
}

My table should look like below where it has to be grouped by 'Group'

**Group Topic Partition LAG owner
data_testing data_testing 0 0 data_testing_aws-us-east-1-0
data_testing data_testing 1 1 data_testing_aws-us-east-1-1
...
...

data_testing data_testing 7 0 data_testing_aws-us-east-1-7**

data1_testing data1_testing 0 1 data1_testing_aws-us-east-1-0
data1_testing data1_testing 1 0 data1_testing_aws-us-east-1-1
...
...
data1_testing data1_testing 7 0 data1_testing_aws-us-east-1-7

0 Karma

Sukisen1981
Champion

hi @qwer007
From the sample data you have provided, all partition values are 6, from where do you get its values as 0,1 &7?

| makeresults 
    | eval payload=" {    [-]    
                currentOffset:     6133    
                group:     data_testing    
                lag:     0    
                logEndOffset:     6133    
                owner:     data_testing_aws-us-east-1-0    
                partition:     6    
                topic:     data_testing    
             }    
             {    [-]    
                currentOffset:     1    
                group:     data1_testing
                lag:     0    
                logEndOffset:     1    
                owner:     MGMT_POP_stag_aws-us-east-1-0    
                partition:     6    
                topic:     data1_testing_test    
             }    
             {    [-]    
                currentOffset:     555846    
                group:     data_testing    
                lag:     -98    
                logEndOffset:     555748    
                owner:     data_testing_aws-us-east-1-6    
                partition:     6    
                topic:     data_testing_1
              }" 
    |  rex field=payload "group:(?<group>.*)" max_match=0
    | rex field=payload "topic:(?<topic>.*)" max_match=0
    |  rex field=payload "partition:(?<partition>.*)" max_match=0
    | fields group,topic,partition 
    | fields - _time
    | eval mv=mvzip(mvzip(group,topic,"*"),partition,"|")
    | mvexpand mv
    | rex field=mv "(?<group>.*?)\*" max_match=0
    | rex field=mv "\*(?<topic>.*?)\|" max_match=0
    | rex field=mv "\|(?<partition>.*)" max_match=0

Try the below query out, I have attempted to extract values for group, topic and partition. Let me know if this is closer to your requirement

0 Karma

Sukisen1981
Champion

hi @qwer007
Please let us know if your issue has been resolved and accept the answer if it significantly helped your resolution. Do not forget to add additional resolution details for the benefit of other form members.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!