Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Got problem with mvexpand and its 500MB memory limit? Try a reverse stats join!

ClubMed
Path Finder
‎06-04-2024 06:55 PM

Hey,

I had discovered you can emulate the mvexpand function to avoid its limitation configured by the limits.conf 

You just have to stats by the multivalue field you were trying to mvexpand, like so:

 

 

| stats values(*) AS * by <multivalue_field>

 

 

That's it, (edit:) assuming each value is a unique value such as a unique identifier. You can make values unique using methods like foreach to pre-append a row-based number to each value, reverse join it, then use split and mvindex to remove the row numbers afterwards. (/Edit.)

Stats splits up <multivalue_field> into its individual rows, and the use of values(*) copies data across all rows.

As an added measure, you can make sure to avoid unnecessary _raw data to reduce memory use with an explicit fields just for it.

It was in my experience, it turned out using | fields _time, * trick does not actually remove every single Splunk internal fields. Removing _raw had to be explicit.

 

 

| fields _time, xxx, yyy, zzz, <multivalue_field>
| fields - _raw
| stats values(*) AS * by <multivalue_field>

 

 

The above strategy minimizes your search's disk space as much as possible before expanding the multivalue field.

Labels (2)
Labels
Tags (1)
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-04-2024 11:46 PM

This solution only works if all the values in the multivalue field are unique across all instances of the field. For example:

| makeresults count=10
| eval mv=mvrange(0,(random()%5)+1)
| streamstats count as row
| stats values(*) as * by mv

This produces only 5 events instead of between 10 and 50 events which mvexpand  of mv would have done

0 Karma
Reply

ClubMed
Path Finder
‎06-05-2024 12:11 AM

Test post. Wasn't able to post?

Edit: Okay, it works. Yes that is an caveat to bring up. Fortunately, you can use a foreach with an iterator to make each value in the multivalue unique. I'm thinking it is something like the following. I'm sure its not impossible to add a custom unique identifier to each value in mv field nonetheless.

 

| eval iterator=0
| foreach <multivalue_field>
[eval iterator=iterator+1, <<ITEM>>=iterator."-".<<ITEM>>]
``` Warning: Did not test this yet ```

 

Then you can perform the reverse stats join, and use split() and mvindex() to parse out your actual values without needing regex!

You are correct, I was indeed working with a multivalue of unique identifiers which is why it worked for me.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...