https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-query-to-avoid-forceful-termination/m-p/582455#M202864 <P>My query after finalizing for some time , gives me,&nbsp;<BR /><SPAN>The search processs with sid= was forcefully terminated because its physical memory usage&nbsp; has exceeded the 'search_process_memory_usage_threshold'&nbsp; setting in limits.conf.<BR /><BR /></SPAN>I am not allowed to increase memory...<BR />Any suggestion how to tweak the query&nbsp; to avoid forceful termination?<BR /><BR />=================<BR />(index=bsa) sourcetype=wf:esetext:user_banks:db OR sourcetype=wf:esetext:soc_sare_data:db au!="0*"<BR />| stats values(bank_name) as bank_name<BR />, values(bank_type) as type<BR />, values(pwd_expires) as pwd_expires<BR />, values(is_interactive) as is_interactive<BR />, values(au_owner_name) as au_owner_name<BR />, values(au_owner_email) as au_owner_email<BR />, values(service_bank_name) as service_bank_name<BR />, values(owner_elid) as owner_elid,<BR />, values(manager_name) as manager_name<BR />BY au<BR />| eval bank_name=coalesce(bank_name,service_bank_name)<BR />| eval user=lower(bank_name)<BR />| dedup user<BR />| rex field=user "[^:]+:(?&lt;user&gt;[^\s]+)"<BR />| fields - bank_name<BR />| stats<BR />values(au_owner_email) as au_owner_email<BR />, values(au_owner_name) as au_owner_name<BR />, values(owner_elid) as owner_elid<BR />, max(manager_name) as manager_name<BR />BY user<BR />,service_bank_name<BR />,type<BR />,pwd_expires<BR />,is_interactive<BR /><BR /><BR /><BR /></P> Tue, 25 Jan 2022 23:20:07 GMT zacksoft_wf 2022-01-25T23:20:07Z https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-query-to-avoid-forceful-termination/m-p/582455#M202864 <P>My query after finalizing for some time , gives me,&nbsp;<BR /><SPAN>The search processs with sid= was forcefully terminated because its physical memory usage&nbsp; has exceeded the 'search_process_memory_usage_threshold'&nbsp; setting in limits.conf.<BR /><BR /></SPAN>I am not allowed to increase memory...<BR />Any suggestion how to tweak the query&nbsp; to avoid forceful termination?<BR /><BR />=================<BR />(index=bsa) sourcetype=wf:esetext:user_banks:db OR sourcetype=wf:esetext:soc_sare_data:db au!="0*"<BR />| stats values(bank_name) as bank_name<BR />, values(bank_type) as type<BR />, values(pwd_expires) as pwd_expires<BR />, values(is_interactive) as is_interactive<BR />, values(au_owner_name) as au_owner_name<BR />, values(au_owner_email) as au_owner_email<BR />, values(service_bank_name) as service_bank_name<BR />, values(owner_elid) as owner_elid,<BR />, values(manager_name) as manager_name<BR />BY au<BR />| eval bank_name=coalesce(bank_name,service_bank_name)<BR />| eval user=lower(bank_name)<BR />| dedup user<BR />| rex field=user "[^:]+:(?&lt;user&gt;[^\s]+)"<BR />| fields - bank_name<BR />| stats<BR />values(au_owner_email) as au_owner_email<BR />, values(au_owner_name) as au_owner_name<BR />, values(owner_elid) as owner_elid<BR />, max(manager_name) as manager_name<BR />BY user<BR />,service_bank_name<BR />,type<BR />,pwd_expires<BR />,is_interactive<BR /><BR /><BR /><BR /></P> Tue, 25 Jan 2022 23:20:07 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-query-to-avoid-forceful-termination/m-p/582455#M202864 zacksoft_wf 2022-01-25T23:20:07Z https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-query-to-avoid-forceful-termination/m-p/582458#M202867 <P>The values function is known to consume a lot of memory so use it carefully.</P><P>Consider coalescing bank_name and service_bank_name before the first stats command.</P><P>That said, the number of events being processed can also affect how much memory is used.&nbsp; Try shrinking the time period to reduce the number of events.</P> Wed, 26 Jan 2022 00:59:55 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-query-to-avoid-forceful-termination/m-p/582458#M202867 richgalloway 2022-01-26T00:59:55Z https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-query-to-avoid-forceful-termination/m-p/582464#M202869 <P>It's not clear whether you need to run stats twice. Try to consolidate if possible.</P><P>Could be typos here, but you get the idea:</P><LI-CODE lang="markup">| fields bank_name bank_type pwd_expires is_interactive au_owner_name au_owner_email service_bank_name owner_elid manager_name au | eval user=LOWER(COALESCE(bank_name,service_bank_name)) | rex field=user "[^:]+:(?&lt;user&gt;[^\s]+)" | rename bank_type AS type | stats values(au_owner_email) AS au_owner_email, values(au_owner_name) AS au_owner_name, values(owner_elid) AS owner_elid, max(manager_name) AS manager_name last(is_interactive) AS is_interactive last(pwd_expire) AS pwd_expire last(service_bank_name) AS service_bank_name last(type) AS type BY user </LI-CODE> Wed, 26 Jan 2022 02:43:36 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-query-to-avoid-forceful-termination/m-p/582464#M202869 johnhuang 2022-01-26T02:43:36Z https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-query-to-avoid-forceful-termination/m-p/582471#M202872 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/190794">@johnhuang</a>&nbsp; The first STATS was to perform a join between two sourcetypes by common field "au".&nbsp; If I don't do that I am not able to get values from both the sources,&nbsp; example bank_type is from second source type and is_interactive is from first.&nbsp;<BR />Also I get some multivalues, so to flatten them out I use them in the second stats's BY clause .</P> Wed, 26 Jan 2022 04:41:23 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-query-to-avoid-forceful-termination/m-p/582471#M202872 zacksoft_wf 2022-01-26T04:41:23Z https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-query-to-avoid-forceful-termination/m-p/582473#M202873 <P>Try max instead of last for those 2 fields. Since I can't see your data, I'm just making a few guesses and assumptions on how to structure the query. You need to play around with it -- I'm sure you'll be able to get rid of one of the stats.</P><LI-CODE lang="markup">| fields bank_name bank_type pwd_expires is_interactive au_owner_name au_owner_email service_bank_name owner_elid manager_name au | eval user=LOWER(COALESCE(bank_name,service_bank_name)) | rex field=user "[^:]+:(?&lt;user&gt;[^\s]+)" | rename bank_type AS type | stats values(au_owner_email) AS au_owner_email, values(au_owner_name) AS au_owner_name, values(owner_elid) AS owner_elid, max(manager_name) AS manager_name max(is_interactive) AS is_interactive last(pwd_expire) AS pwd_expire max(service_bank_name) AS service_bank_name last(type) AS type BY use</LI-CODE><P>&nbsp;</P> Wed, 26 Jan 2022 05:21:48 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-query-to-avoid-forceful-termination/m-p/582473#M202873 johnhuang 2022-01-26T05:21:48Z https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-query-to-avoid-forceful-termination/m-p/582474#M202874 <P>If those missing values are defined by au, you can throw in an eventstats to have it filled.</P><LI-CODE lang="markup">| fields bank_name bank_type pwd_expires is_interactive au_owner_name au_owner_email service_bank_name owner_elid manager_name au | eventstats max(is_interactive) AS is_interactive max(bank_type) AS bank_type BY au | eval user=LOWER(COALESCE(bank_name,service_bank_name)) | rex field=user "[^:]+:(?&lt;user&gt;[^\s]+)" | rename bank_type AS type | stats values(au_owner_email) AS au_owner_email, values(au_owner_name) AS au_owner_name, values(owner_elid) AS owner_elid, max(manager_name) AS manager_name max(is_interactive) AS is_interactive last(pwd_expire) AS pwd_expire max(service_bank_name) AS service_bank_name last(type) AS type BY user </LI-CODE><P>&nbsp;</P> Wed, 26 Jan 2022 05:27:54 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-optimize-the-query-to-avoid-forceful-termination/m-p/582474#M202874 johnhuang 2022-01-26T05:27:54Z