Solved: mvexpand gives "mvexpand output will be truncated...

marcokrueger · ‎08-11-2013

I give my splunk 50GB Mem with
max_mem_usage_mb = 50480
in the limits.conf
but splunk 5.0.3 gives me a "mvexpand output will be truncated due to excessive memory usage".
THe job inspector shows that the incoming data are a few 10 MB.

Miss I a hidden config-option?

Best regards Marco

marcokrueger · ‎08-26-2013

Hi Frank,
in my case I have solved it. I suggest to remove alle fields you don't need anymore, before you call the mvexpand, like ... | fields dns, ip, record | fields - _raw | ...
Perhaps this helps.

By Marco

View solution in original post

marcokrueger · ‎08-26-2013

Hi Frank,
in my case I have solved it. I suggest to remove alle fields you don't need anymore, before you call the mvexpand, like ... | fields dns, ip, record | fields - _raw | ...
Perhaps this helps.

By Marco

ClubMed

Wow.

For all my queries, I had been using the following fields command under the assumption it did drop _raw.

| fields _time, xxx, yyy, zzz, ....

Then one day I started a large mvexpand and ran into memory limit.

My thought upon seeing this was 'Huh? Well, worth a try I guess.'

| fields _time, xxx, yyy, zzz, ....
| fields - _raw

Boom, mvexpand completes successfully. The heck? It actually cut the search time in half too.

amckinnie_splun · ‎01-21-2020

still works in 2020

gjanders · ‎01-21-2020

Another workaround is to use the "by" clause of a stats command to split a multivalued field into its values, it doesn't have the memory issue that mvexpand has...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

to4kawa · ‎01-21-2020

|makeresults count=10000
|streamstats count as t
|stats values(t) as multivalue 
|fields multivalue 
`comment("multivalue extract without mvexpand")`
|stats count by multivalue 
|table multivalue

All multi-values must be unique values, but that's OK

LM_ACN · ‎10-23-2019

still Octuber 2019 🙂

sgundeti573 · ‎06-04-2019

June 2019 🙂

balmeida · ‎02-05-2019

Still a good answer in 2019.

rafaelvjb · ‎10-11-2018

Tks man, "fields - _raw" fixed my problem

jstubberfield · ‎07-22-2018

This is still an excellent answer on 2018

grittonc · ‎11-27-2017

Still a good answer in 2017.

fervin · ‎09-03-2013

Thanks, that fixed it.

fervin · ‎08-22-2013

Hi Marco,

I'm seeing the same behavior in 5.0.3. Did you ever find a solution? I'm trying to get some info from a REST input into a lookup, and the seemingly inefficient technique in the docs for spath to combine multivalued fields bombs at exactly 700 elements. Anybody else seeing this, or have any ideas?

-Frank

EDIT - Upgrading to 5.0.4 and greatly increasing max_mem_usage_mb did not resolve the problem for me but filtering out the _raw fields as Marco suggested did. My working query:

index=rest sourcetype=dns:rest:a | head 1 
| spath output=dns path={}.name 
| spath output=ip path={}.ipv4addr
| fields - _raw 
| eval record=mvzip(dns,ip)
| fields + record
| mvexpand record | eval record = split(record,",") 
| eval dns=mvindex(record,0) | eval ip=mvindex(record,1)   
| table dns,ip

marcokrueger · ‎08-26-2013

Hi Frank,
another solution may be to incease the max_mem_usage_mb in your limits.conf?

You can avoid the spath in your query, by defining it under
Manager » Fields » Field aliases

best regards
Marco

mvexpand gives "mvexpand output will be truncated due to excessive memory usage"

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk