Splunk Search

Why does my search with the mvexpand command never finalize?

Buscatrufas
Path Finder

Hi guys,

I have a problem with a table with 78k of register.

I'm trying to expand a multivalue field, but the search never finalizes. The search is the following:

source=/home/cyberlabs/reportes/nvdcve_parseado.csv | rex max_match=0 "(?<cpe>(cpe+[.-:\/]*[^#]+))" | table CVE PUBLISHED_DATE cpe | mvexpand cpe

The search without mvexpand works fine, but with the command, it doesn't 😞

Is it a memory problem? I only have 500mb, but this search doesn't return more than 30MB of results. On the other hand, I looked at the search.log and found this:

alt text

The log throws this:

alt text

Problem with limits.conf? Othe ?

Thanks mates, really good community 🙂

Best regards, Buscatrufas.

0 Karma

sundareshr
Legend

Buscatrufas
Path Finder

But i didn't see any warning for this

0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...