https://community.splunk.com/t5/Splunk-Search/makeresults-query-stuck-in-v7-3/m-p/500642#M195096 <P>Better yet, just dump it into a <CODE>lookup file</CODE>.</P> Thu, 26 Mar 2020 14:11:40 GMT woodcock 2020-03-26T14:11:40Z https://community.splunk.com/t5/Splunk-Search/makeresults-query-stuck-in-v7-3/m-p/500640#M195094 <P>Hello,</P> <P>One of the dashboards has a makeresults query like below, with about 250 append statements.</P> <PRE><CODE>| makeresults| eval active="true"| makemv delim="," active| eval code="1234"| makemv delim="," code| eval portfolio="ABC"| makemv delim="," portfolio| eval applicative=null| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra=null| makemv delim="," infra| eval interfaces=null| makemv delim="," interfaces| eval id="0001"| makemv delim="," id | append [| makeresults| eval active="true"| makemv delim="," active| eval code="2345"| makemv delim="," code| eval portfolio="ABC,PQR"| makemv delim="," portfolio| eval applicative=null| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra="Infra2"| makemv delim="," infra| eval interfaces="Infra2"| makemv delim="," interfaces| eval id="0002"| makemv delim="," id] | append [| makeresults| eval active="true"| makemv delim="," active| eval code="3456"| makemv delim="," code| eval portfolio="ABC,PQR"| makemv delim="," portfolio| eval applicative=" list missing for the application"| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra=null| makemv delim="," infra| eval interfaces=null| makemv delim="," interfaces| eval id="0003"| makemv delim="," id] </CODE></PRE> <P>.... and so on</P> <P>The query gets executed fine on Splunk v7.0 but is stuck on v7.3. The job progress remains at 0% and gets stuck.</P> <P>I tried updating the configuration in limits.conf but in vain.</P> <PRE><CODE>max_mem_usage_mb = 500 [searchresults] maxresultrows = 86400 </CODE></PRE> <P>Has anyone faced such a problem in v7.3.3? <BR /> If I decrease the append statements to say 180, the query gets executed. So, it seems the issue is related to memory/result size but I haven't found any solution yet.</P> <P>Thanks in advance.</P> Thu, 26 Mar 2020 12:34:12 GMT https://community.splunk.com/t5/Splunk-Search/makeresults-query-stuck-in-v7-3/m-p/500640#M195094 saneja 2020-03-26T12:34:12Z https://community.splunk.com/t5/Splunk-Search/makeresults-query-stuck-in-v7-3/m-p/500641#M195095 <P>It is the <CODE>append</CODE> list that is killing you. You are doing it wrong; use <CODE>multikv</CODE> like this instead:</P> <PRE><CODE>| makeresults| eval _raw="active applicative code id infra interfaces portfolio true 1234 0001 ABC true 2345 0002 Infra2 Infra2 ABC,PQR true list missing for the application 3456 0003 ABC,PQR" | multikv forceheader=1 | makemv delim="," portfolio | fields - _raw linecount </CODE></PRE> <P>When cut-and-paste for testing be sure to carefully remove the leading space on every line or it will not work.</P> Thu, 26 Mar 2020 14:11:09 GMT https://community.splunk.com/t5/Splunk-Search/makeresults-query-stuck-in-v7-3/m-p/500641#M195095 woodcock 2020-03-26T14:11:09Z https://community.splunk.com/t5/Splunk-Search/makeresults-query-stuck-in-v7-3/m-p/500642#M195096 <P>Better yet, just dump it into a <CODE>lookup file</CODE>.</P> Thu, 26 Mar 2020 14:11:40 GMT https://community.splunk.com/t5/Splunk-Search/makeresults-query-stuck-in-v7-3/m-p/500642#M195096 woodcock 2020-03-26T14:11:40Z