Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- makeresults query stuck in v7.3
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
makeresults query stuck in v7.3
saneja
New Member
03-26-2020
05:34 AM
Hello,
One of the dashboards has a makeresults query like below, with about 250 append statements.
| makeresults| eval active="true"| makemv delim="," active| eval code="1234"| makemv delim="," code| eval portfolio="ABC"| makemv delim="," portfolio| eval applicative=null| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra=null| makemv delim="," infra| eval interfaces=null| makemv delim="," interfaces| eval id="0001"| makemv delim="," id
| append [| makeresults| eval active="true"| makemv delim="," active| eval code="2345"| makemv delim="," code| eval portfolio="ABC,PQR"| makemv delim="," portfolio| eval applicative=null| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra="Infra2"| makemv delim="," infra| eval interfaces="Infra2"| makemv delim="," interfaces| eval id="0002"| makemv delim="," id]
| append [| makeresults| eval active="true"| makemv delim="," active| eval code="3456"| makemv delim="," code| eval portfolio="ABC,PQR"| makemv delim="," portfolio| eval applicative=" list missing for the application"| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra=null| makemv delim="," infra| eval interfaces=null| makemv delim="," interfaces| eval id="0003"| makemv delim="," id]
.... and so on
The query gets executed fine on Splunk v7.0 but is stuck on v7.3. The job progress remains at 0% and gets stuck.
I tried updating the configuration in limits.conf but in vain.
max_mem_usage_mb = 500
[searchresults]
maxresultrows = 86400
Has anyone faced such a problem in v7.3.3?
If I decrease the append statements to say 180, the query gets executed. So, it seems the issue is related to memory/result size but I haven't found any solution yet.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-26-2020
07:11 AM
It is the append list that is killing you. You are doing it wrong; use multikv like this instead:
| makeresults| eval _raw="active applicative code id infra interfaces portfolio
true 1234 0001 ABC
true 2345 0002 Infra2 Infra2 ABC,PQR
true list missing for the application 3456 0003 ABC,PQR"
| multikv forceheader=1
| makemv delim="," portfolio
| fields - _raw linecount
When cut-and-paste for testing be sure to carefully remove the leading space on every line or it will not work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-26-2020
07:11 AM
Better yet, just dump it into a lookup file.
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
