Cannot solve "mvexpand: output will be truncated d...

carinahOliveira · ‎12-02-2021

Hello,

I'm having a problem with mvexpand in Splunk. I'm having the following error:
command.mvexpand: output will be truncated at 1103400 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached.

Doing some searching here on answers I came across this previous answer:
https://answers.splunk.com/answers/98620/mvexpand-gives-mvexpand-output-will-be-truncated-due-to-exc...

Although that solution seemed to help a lot of people it did not help me. I don't seem to see a fix anywhere else. If anyone has some advice it would be most helpful. Thanks!

Taking the question, is it possible to improve this range?

Here is my search:

index=_raw UserName=*
timeformat="%d-%m-%YT%H:%M:%S" earliest="01-12-2021T00:00:00" latest="02-12-2021T23:59:00"

| stats values(_time) as Time by UserName

| eval i = mvrange(0,20)
| mvexpand i

| eval reconnection=if(UserName==UserName, tonumber(mvindex(Time,i+1))-tonumber(mvindex(Time,i)), "falha")
| where reconnection>0 AND reconnection<1200

| eval reconnection=tostring(reconnection, "duration")
| chart count by reconnection

Cannot solve "mvexpand: output will be truncated due to excessive memory usage."

error

indexing performance

search performance

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

IM Landing Page Filter - Now Available

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud