Hello,
I'm having a problem with mvexpand in Splunk. I'm having the following error:
command.mvexpand: output will be truncated at 1103400 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached.
Doing some searching here on answers I came across this previous answer:
https://answers.splunk.com/answers/98620/mvexpand-gives-mvexpand-output-will-be-truncated-due-to-exc...
Although that solution seemed to help a lot of people it did not help me. I don't seem to see a fix anywhere else. If anyone has some advice it would be most helpful. Thanks!
Taking the question, is it possible to improve this range?
Here is my search:
index=_raw UserName=*
timeformat="%d-%m-%YT%H:%M:%S" earliest="01-12-2021T00:00:00" latest="02-12-2021T23:59:00"
| stats values(_time) as Time by UserName
| eval i = mvrange(0,20)
| mvexpand i
| eval reconnection=if(UserName==UserName, tonumber(mvindex(Time,i+1))-tonumber(mvindex(Time,i)), "falha")
| where reconnection>0 AND reconnection<1200
| eval reconnection=tostring(reconnection, "duration")
| chart count by reconnection