Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Grouping data having 1 key and multiple value...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Grouping data having 1 key and multiple values , which are grouped with the same 'group'
I have the following mentioned data, where I want to group the data as per group. One group can have Topic details/multiple owner details/ Partition/LAG.
Time Event
8/11/19
4:06:33.000 PM
{ [-]
Data: [ [-]
{ [-]
currentOffset: 6133
group: data_testing
lag: 0
logEndOffset: 6133
owner: data_testing_aws-us-east-1-0
partition: 6
topic: data_testing
}
{ [-]
currentOffset: 1
group: data1_testing
lag: 0
logEndOffset: 1
owner: MGMT_POP_stag_aws-us-east-1-0
partition: 6
topic: data1_testing_test
}
{ [-]
currentOffset: 555846
group: data_testing
lag: -98
logEndOffset: 555748
owner: data_testing_aws-us-east-1-6
partition: 6
topic: data_testing_1
}
...
...
}
My table should look like below where it has to be grouped by 'Group'
**Group Topic Partition LAG owner
data_testing data_testing 0 0 data_testing_aws-us-east-1-0
data_testing data_testing 1 1 data_testing_aws-us-east-1-1
...
...
data_testing data_testing 7 0 data_testing_aws-us-east-1-7**
data1_testing data1_testing 0 1 data1_testing_aws-us-east-1-0
data1_testing data1_testing 1 0 data1_testing_aws-us-east-1-1
...
...
data1_testing data1_testing 7 0 data1_testing_aws-us-east-1-7
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @qwer007
From the sample data you have provided, all partition values are 6, from where do you get its values as 0,1 &7?
| makeresults
| eval payload=" { [-]
currentOffset: 6133
group: data_testing
lag: 0
logEndOffset: 6133
owner: data_testing_aws-us-east-1-0
partition: 6
topic: data_testing
}
{ [-]
currentOffset: 1
group: data1_testing
lag: 0
logEndOffset: 1
owner: MGMT_POP_stag_aws-us-east-1-0
partition: 6
topic: data1_testing_test
}
{ [-]
currentOffset: 555846
group: data_testing
lag: -98
logEndOffset: 555748
owner: data_testing_aws-us-east-1-6
partition: 6
topic: data_testing_1
}"
| rex field=payload "group:(?<group>.*)" max_match=0
| rex field=payload "topic:(?<topic>.*)" max_match=0
| rex field=payload "partition:(?<partition>.*)" max_match=0
| fields group,topic,partition
| fields - _time
| eval mv=mvzip(mvzip(group,topic,"*"),partition,"|")
| mvexpand mv
| rex field=mv "(?<group>.*?)\*" max_match=0
| rex field=mv "\*(?<topic>.*?)\|" max_match=0
| rex field=mv "\|(?<partition>.*)" max_match=0
Try the below query out, I have attempted to extract values for group, topic and partition. Let me know if this is closer to your requirement
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @qwer007
Please let us know if your issue has been resolved and accept the answer if it significantly helped your resolution. Do not forget to add additional resolution details for the benefit of other form members.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
