Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Got problem with mvexpand and its 500MB memory limit? Try a reverse stats join!

ClubMed
Path Finder
‎06-04-2024 06:55 PM

Hey,

I had discovered you can emulate the mvexpand function to avoid its limitation configured by the limits.conf 

You just have to stats by the multivalue field you were trying to mvexpand, like so:

 

 

| stats values(*) AS * by <multivalue_field>

 

 

That's it, (edit:) assuming each value is a unique value such as a unique identifier. You can make values unique using methods like foreach to pre-append a row-based number to each value, reverse join it, then use split and mvindex to remove the row numbers afterwards. (/Edit.)

Stats splits up <multivalue_field> into its individual rows, and the use of values(*) copies data across all rows.

As an added measure, you can make sure to avoid unnecessary _raw data to reduce memory use with an explicit fields just for it.

It was in my experience, it turned out using | fields _time, * trick does not actually remove every single Splunk internal fields. Removing _raw had to be explicit.

 

 

| fields _time, xxx, yyy, zzz, <multivalue_field>
| fields - _raw
| stats values(*) AS * by <multivalue_field>

 

 

The above strategy minimizes your search's disk space as much as possible before expanding the multivalue field.

Labels (2)
Labels
Tags (1)
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-04-2024 11:46 PM

This solution only works if all the values in the multivalue field are unique across all instances of the field. For example:

| makeresults count=10
| eval mv=mvrange(0,(random()%5)+1)
| streamstats count as row
| stats values(*) as * by mv

This produces only 5 events instead of between 10 and 50 events which mvexpand  of mv would have done

0 Karma
Reply

ClubMed
Path Finder
‎06-05-2024 12:11 AM

Test post. Wasn't able to post?

Edit: Okay, it works. Yes that is an caveat to bring up. Fortunately, you can use a foreach with an iterator to make each value in the multivalue unique. I'm thinking it is something like the following. I'm sure its not impossible to add a custom unique identifier to each value in mv field nonetheless.

 

| eval iterator=0
| foreach <multivalue_field>
[eval iterator=iterator+1, <<ITEM>>=iterator."-".<<ITEM>>]
``` Warning: Did not test this yet ```

 

Then you can perform the reverse stats join, and use split() and mvindex() to parse out your actual values without needing regex!

You are correct, I was indeed working with a multivalue of unique identifiers which is why it worked for me.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top