https://community.splunk.com/t5/Splunk-Search/Why-is-my-query-terminating-with-quot-unexpected-error-quot/m-p/386257#M172126 <P>I see you are running the 'Dedup' command on a large data set with a huge time range. This is directly impacting your search performance and the query fails. Never run 'Dedup' Command directly over a search string. When you run a Dedup Command the text of every event in memory is retained which impacts your search performance.</P> <P>If you run this search for a short time duration it might work and produce results. But if you run the same search over larger time duration such as 1 year, it will require to retain the text for a long time in the memory and eventually search will fail to complete.</P> <P>This is the nature of the Dedup Command and this can not be an error. The dedup command is a streaming command or a dataset processing command, depending on which arguments are specified with the command. </P> <P>To fix this, You have to modify your search to restrict only limited dataset to be pulled out. There are multiple ways to modify your search based on your data and make the search fast.</P> Mon, 01 Apr 2019 20:52:09 GMT ashutoshab 2019-04-01T20:52:09Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-query-terminating-with-quot-unexpected-error-quot/m-p/386252#M172121 <P>Hello,</P> <P>I am running a query to analyse 1 year of data and find out the number of users that used the application per day. But the below query is getting timeout and terminated with the error "<STRONG>unexpected error</STRONG>"</P> <PRE><CODE>index=myIndex | dedup user_id _time | timechart span=1d dc(user_id) as Users | *outploutlookup ysers.csv </CODE></PRE> <P>Could you please help with optimizing the above query ?</P> Mon, 01 Apr 2019 11:42:11 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-query-terminating-with-quot-unexpected-error-quot/m-p/386252#M172121 akasthi 2019-04-01T11:42:11Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-query-terminating-with-quot-unexpected-error-quot/m-p/386253#M172122 <P>@akasthi </P> <P>Does your search work fine with different time range? like last 7 Days, last 30 days, last 2months, etc </P> Mon, 01 Apr 2019 13:08:51 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-query-terminating-with-quot-unexpected-error-quot/m-p/386253#M172122 kamlesh_vaghela 2019-04-01T13:08:51Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-query-terminating-with-quot-unexpected-error-quot/m-p/386254#M172123 <P>Yes, it works for the fewer time range, say 30 days, 7 days, etc</P> Mon, 01 Apr 2019 13:13:15 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-query-terminating-with-quot-unexpected-error-quot/m-p/386254#M172123 akasthi 2019-04-01T13:13:15Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-query-terminating-with-quot-unexpected-error-quot/m-p/386255#M172124 <P>Can you please inspect Job for that?? </P> <OL> <LI><P>Run the search.</P></LI> <LI><P>From the Job menu, select Inspect Job.</P></LI> </OL> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.2.5/Search/ViewsearchjobpropertieswiththeJobInspector">https://docs.splunk.com/Documentation/Splunk/7.2.5/Search/ViewsearchjobpropertieswiththeJobInspector</A></P> Mon, 01 Apr 2019 13:16:14 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-query-terminating-with-quot-unexpected-error-quot/m-p/386255#M172124 kamlesh_vaghela 2019-04-01T13:16:14Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-query-terminating-with-quot-unexpected-error-quot/m-p/386256#M172125 <P>You don't need that dedup command in there. </P> Mon, 01 Apr 2019 15:47:09 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-query-terminating-with-quot-unexpected-error-quot/m-p/386256#M172125 somesoni2 2019-04-01T15:47:09Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-query-terminating-with-quot-unexpected-error-quot/m-p/386257#M172126 <P>I see you are running the 'Dedup' command on a large data set with a huge time range. This is directly impacting your search performance and the query fails. Never run 'Dedup' Command directly over a search string. When you run a Dedup Command the text of every event in memory is retained which impacts your search performance.</P> <P>If you run this search for a short time duration it might work and produce results. But if you run the same search over larger time duration such as 1 year, it will require to retain the text for a long time in the memory and eventually search will fail to complete.</P> <P>This is the nature of the Dedup Command and this can not be an error. The dedup command is a streaming command or a dataset processing command, depending on which arguments are specified with the command. </P> <P>To fix this, You have to modify your search to restrict only limited dataset to be pulled out. There are multiple ways to modify your search based on your data and make the search fast.</P> Mon, 01 Apr 2019 20:52:09 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-query-terminating-with-quot-unexpected-error-quot/m-p/386257#M172126 ashutoshab 2019-04-01T20:52:09Z