https://community.splunk.com/t5/Splunk-Search/Search-query-using-spath-and-mvexpand-on-multi-value-nested-JSON/m-p/326818#M97375 <P>Hi Splunk Experts,</P> <P>I am sending events to Splunk Enterprise in the following nested JSON format:</P> <PRE><CODE>{ compliance: Compliance Unknown, ctupdate: hostinfo, host_properties: [ { name: _times, since: 1508907165, value: last_onsite }, { name: compliance_state, since: 1508268020, value: N/A }, { name: engine_seen_packet, since: 1508907165, value: Yes }, { name: guest_corporate_state, since: 1508268020, value: N/A }, { name: linux_operating_system, since: 1508907165, value: 2.0.2 }, { name: online, since: 1508907165, value: online_multivalue1 }, { name: online, since: 1508907165, value: online_multivalue2 }, { name: online, since: 1508907165, value: online_multivalue3 }, { name: ssh_open_port, since: 1508959259, value: 0 }, { name: va_netfunc, since: 1508959247, value: Linux Desktop/Server } ] ip: 192.168.1.17, tenant_id: acd1034578ef } </CODE></PRE> <P>I want to create a dashboard that would go over all such events and display a pie-chart with online values seen so far. To achieve this, I've been using the following query:</P> <PRE><CODE>`ct_hostinfo` `get_sourcetypes` | spath output=prop_name path=host_properties{}.name | spath output=prop_val path=host_properties{}.value | eval prop_key_val=mvzip(prop_name, prop_val, "---") | mvexpand prop_key_val | eval prop_key_val=split(prop_key_val, "---") | eval prop_name=mvindex(prop_key_val, 0) | eval prop_val=mvindex(prop_key_val, 1) | search prop_name=online | stats count by prop_val </CODE></PRE> <P>The above query does its work but <STRONG>it doesn't scale.</STRONG> If I let my dashboard collect data for over ~5k events, I start seeing the following error:</P> <PRE><CODE>command.mvexpand: output will be truncated at 1300 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached. </CODE></PRE> <P>I would like to know if I can somehow scale the above search query so that it can handle greater number of events. Would I need to defined field extractions etc. in transforms.conf/props.conf? I don't know much about field extraction configs.</P> <P>I would be very grateful, if someone can suggest me a better query or field extractions.</P> <P>Thanks.</P> Thu, 26 Oct 2017 02:23:26 GMT sharad06 2017-10-26T02:23:26Z https://community.splunk.com/t5/Splunk-Search/Search-query-using-spath-and-mvexpand-on-multi-value-nested-JSON/m-p/326818#M97375 <P>Hi Splunk Experts,</P> <P>I am sending events to Splunk Enterprise in the following nested JSON format:</P> <PRE><CODE>{ compliance: Compliance Unknown, ctupdate: hostinfo, host_properties: [ { name: _times, since: 1508907165, value: last_onsite }, { name: compliance_state, since: 1508268020, value: N/A }, { name: engine_seen_packet, since: 1508907165, value: Yes }, { name: guest_corporate_state, since: 1508268020, value: N/A }, { name: linux_operating_system, since: 1508907165, value: 2.0.2 }, { name: online, since: 1508907165, value: online_multivalue1 }, { name: online, since: 1508907165, value: online_multivalue2 }, { name: online, since: 1508907165, value: online_multivalue3 }, { name: ssh_open_port, since: 1508959259, value: 0 }, { name: va_netfunc, since: 1508959247, value: Linux Desktop/Server } ] ip: 192.168.1.17, tenant_id: acd1034578ef } </CODE></PRE> <P>I want to create a dashboard that would go over all such events and display a pie-chart with online values seen so far. To achieve this, I've been using the following query:</P> <PRE><CODE>`ct_hostinfo` `get_sourcetypes` | spath output=prop_name path=host_properties{}.name | spath output=prop_val path=host_properties{}.value | eval prop_key_val=mvzip(prop_name, prop_val, "---") | mvexpand prop_key_val | eval prop_key_val=split(prop_key_val, "---") | eval prop_name=mvindex(prop_key_val, 0) | eval prop_val=mvindex(prop_key_val, 1) | search prop_name=online | stats count by prop_val </CODE></PRE> <P>The above query does its work but <STRONG>it doesn't scale.</STRONG> If I let my dashboard collect data for over ~5k events, I start seeing the following error:</P> <PRE><CODE>command.mvexpand: output will be truncated at 1300 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached. </CODE></PRE> <P>I would like to know if I can somehow scale the above search query so that it can handle greater number of events. Would I need to defined field extractions etc. in transforms.conf/props.conf? I don't know much about field extraction configs.</P> <P>I would be very grateful, if someone can suggest me a better query or field extractions.</P> <P>Thanks.</P> Thu, 26 Oct 2017 02:23:26 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-using-spath-and-mvexpand-on-multi-value-nested-JSON/m-p/326818#M97375 sharad06 2017-10-26T02:23:26Z https://community.splunk.com/t5/Splunk-Search/Search-query-using-spath-and-mvexpand-on-multi-value-nested-JSON/m-p/326819#M97376 <P>You are carrying along a ton of fields when you <CODE>mvexpand</CODE> your records. That calculates to over 300K per record. You only need <CODE>prop_key_val</CODE> at that point, right?</P> <P>Two <CODE>fields</CODE> commands, immediately before the <CODE>mvexpand</CODE>, should put you up to millions of records possible. </P> <PRE><CODE> | eval prop_key_val=mvzip(prop_name, prop_val, "---") | fields prop_key_val | fields - _* | mvexpand prop_key_val </CODE></PRE> <HR /> <P>Looking deeper, you only want ONE of the values for <CODE>prop_name=online</CODE>, so you don't need the <CODE>mvexpand</CODE> at all. You need <CODE>mvfilter</CODE>.</P> <P>Try this against your existing search for a small time number of records. It should get the same results. If not, then adjust the <CODE>mvfilter</CODE> test until it does. (Adjust case sensitivity, <CODE>like()</CODE> vs <CODE>match()</CODE>, and so on)</P> <PRE><CODE>`ct_hostinfo` `get_sourcetypes` | spath output=prop_name path=host_properties{}.name | spath output=prop_val path=host_properties{}.value | eval prop_key_val=mvzip(prop_name, prop_val, "---") | eval prop_key_val=mvfilter( like(prop_key_val,"online%") | mvexpand prop_key_val | eval prop_val=mvindex(split(prop_key_val, "---"), 1) | stats count by prop_val </CODE></PRE> Mon, 30 Oct 2017 01:51:24 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-using-spath-and-mvexpand-on-multi-value-nested-JSON/m-p/326819#M97376 DalJeanis 2017-10-30T01:51:24Z https://community.splunk.com/t5/Splunk-Search/Search-query-using-spath-and-mvexpand-on-multi-value-nested-JSON/m-p/326820#M97377 <P>Hi Dal,</P> <P>I tried your suggestion to remove internal fields (fields - _*). But it doesn't work <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>It's always returning 'No results found'.</P> Tue, 07 Nov 2017 20:05:39 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-using-spath-and-mvexpand-on-multi-value-nested-JSON/m-p/326820#M97377 sharad06 2017-11-07T20:05:39Z