Hi guys,
I have a problem with a table with 78k of register.
I'm trying to expand a multivalue field, but the search never finalizes. The search is the following:
source=/home/cyberlabs/reportes/nvdcve_parseado.csv | rex max_match=0 "(?<cpe>(cpe+[.-:\/]*[^#]+))" | table CVE PUBLISHED_DATE cpe | mvexpand cpe
The search without mvexpand works fine, but with the command, it doesn't 😞
Is it a memory problem? I only have 500mb, but this search doesn't return more than 30MB of results. On the other hand, I looked at the search.log and found this:
The log throws this:
Problem with limits.conf? Othe ?
Thanks mates, really good community 🙂
Best regards, Buscatrufas.
See if this answers your question
http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/mvexpand#Limits
But i didn't see any warning for this