Splunk Search

This search has encountered a fatal error and has been marked as zombied.


I'm trying to optimize this report to successfully run without errors.  It will currently run for 3-5 hours and grow to 750+MB then fails, then starts again and runs for 15 hours and grow to 8MB and complete.  After it completes, there are no results in the report.

This is the query running over last 30 days.

index=web OR index=web_long sourcetype="*iis*" NOT ("HealthCheck" OR "localhost" OR "F5" OR "*LtmActivityMonitor*") NOT cs_uri_stem="/"
| eval id=coalesce(upper(app_id), upper(id))
| rename id AS AppId
| join type=inner AppId, host overwrite=false
[ search index=im sourcetype=db LogType="web" earliest=-45d
| eval host=lower(ServerName) ]
| head 500000
| eval missing_field=mvappend(
case(isnull(c_ip), "c_ip"),
case(isnull(cs_bytes), "cs_bytes"),
case(isnull(cs_host), "cs_host"),
case(isnull(cs_method), "cs_method"),
case(isnull(cs_uri_stem), "cs_uri_stem"),
case(isnull(cs_version), "cs_version"),
case(isnull(date), "date"),
case(isnull(s_computername), "s_computername"),
case(isnull(s_ip), "s_ip"),
case(isnull(s_port), "s_port"),
case(isnull(sc_bytes), "sc_bytes"),
case(isnull(sc_status), "sc_status"),
case(isnull(cs_Referer), "cs_Referer"),
case(isnull(cs_User_Agent), "cs_User_Agent"),
case(isnull(time), "time"),
case(isnull(x_forwarded_for), "x_forwarded_for")
| fillnull value=None
| mvexpand missing_field
| where missing_field != ""
| stats
latest(_raw) AS latest_raw
BY AppId, index, sourcetype, missing_field, host, source
| stats
values(missing_field) AS missing_field
BY AppId, index, sourcetype, host, latest_raw, source
| table AppId, index, sourcetype, missing_field, host, latest_raw, source
| where missing_field!= ""

Labels (4)
0 Karma