Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Hitting eventstats memory limit. Is there another way to form my search?

jedatt01
Builder
‎06-24-2016 02:01 PM

I'm seeing the following error below when trying to use eventstats on a large lookup table (about 500,000 rows). 

06-24-2016 15:44:04.735 ERROR StatsProcessor - Reached limit max_mem_usage_mb (200 MB), results may be incomplete! Please increase the max_mem_usage_mb in limits.conf .

Getting the max_mem_usage_mb increase will take a long time as I'm a user in a large enterprise environment that would require testing first.

In the lookup table, I have records of machine check-ins to an DM system. I'm trying to create a search that will look for the latest check-in in the lookup and remove the older check-ins. My current search below is not completing because of the memory limit.

| inputlookup mdm_master | eventstats max(MDM_Last_Check_in_epoc) as last_check by MDM_MAC_Address MDM_Server | where MDM_Last_Check_in_epoc = last_check | table MDM* | outputlookup mdm_master

Can anybody think of a more efficient way to do this that will take less memory?

0 Karma
Reply

maciep
Champion
‎06-24-2016 06:23 PM

Not sure how these things work under the hood, so this may be as or more inefficient, but you could try using sort/dedup.

| inputlookup mdm_master 
| eval mdm_mac_server = MDM_MAC_Address." ".MDM_Server
| sort mdm_mac_server - MDM_Last_Check_in_epoc
| dedup mdm_mac_server
| table MDM*
| outputlookup mdm_master

Also, again not sure how efficient, but you could try to use a stats instead of eventstats, and then lookup or join the results to the lookup again, keep the ones that match output the lookup again?

0 Karma
Reply

jedatt01
Builder
‎06-29-2016 12:25 PM

must be hardcoded somewhere. I tried sort 0 and also sort 500000 and it still tells me it's being limited to 10k results.

0 Karma
Reply

maciep
Champion
‎06-29-2016 05:38 PM

interesting...maybe it's in limits somewhere.

What about looking up from the lookup? Something like this?

| inputlookup mdm_master 
| tstats max(MDM_Last_Check_in_epoc) as MDM_Last_Check_in_epoc
| lookup mdm_master MDM_Last_Check_in_epoc
| table MDM* 
| outputlookup mdm_master
0 Karma
Reply

jedatt01
Builder
‎06-27-2016 05:55 AM

Unfortunately, sort has a 10,000 event limit. No good there either.

0 Karma
Reply

maciep
Champion
‎06-27-2016 05:57 AM

Oh, whoops....you can use sort 0 to remove the default limit, like 

| sort 0 mdm_mac_server - MDM_Last_Check_in_epoc
0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎06-24-2016 04:01 PM

I sort of wonder if you could use streamstats and just get the last calculation - but to be honest I don't really know. Could be worth a try ?

0 Karma
Reply

woodcock
Esteemed Legend
‎06-24-2016 02:06 PM

2 options, both are higher-level things:

1: Setup a Data Model and accelerate it then convert your search to tstats.
2: Setup a Summary Index.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top