Hello,
One of the dashboards has a makeresults query like below, with about 250 append statements.
| makeresults| eval active="true"| makemv delim="," active| eval code="1234"| makemv delim="," code| eval portfolio="ABC"| makemv delim="," portfolio| eval applicative=null| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra=null| makemv delim="," infra| eval interfaces=null| makemv delim="," interfaces| eval id="0001"| makemv delim="," id
| append [| makeresults| eval active="true"| makemv delim="," active| eval code="2345"| makemv delim="," code| eval portfolio="ABC,PQR"| makemv delim="," portfolio| eval applicative=null| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra="Infra2"| makemv delim="," infra| eval interfaces="Infra2"| makemv delim="," interfaces| eval id="0002"| makemv delim="," id]
| append [| makeresults| eval active="true"| makemv delim="," active| eval code="3456"| makemv delim="," code| eval portfolio="ABC,PQR"| makemv delim="," portfolio| eval applicative=" list missing for the application"| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra=null| makemv delim="," infra| eval interfaces=null| makemv delim="," interfaces| eval id="0003"| makemv delim="," id]
.... and so on
The query gets executed fine on Splunk v7.0 but is stuck on v7.3. The job progress remains at 0% and gets stuck.
I tried updating the configuration in limits.conf but in vain.
max_mem_usage_mb = 500
[searchresults]
maxresultrows = 86400
Has anyone faced such a problem in v7.3.3?
If I decrease the append statements to say 180, the query gets executed. So, it seems the issue is related to memory/result size but I haven't found any solution yet.
Thanks in advance.
It is the append
list that is killing you. You are doing it wrong; use multikv
like this instead:
| makeresults| eval _raw="active applicative code id infra interfaces portfolio
true 1234 0001 ABC
true 2345 0002 Infra2 Infra2 ABC,PQR
true list missing for the application 3456 0003 ABC,PQR"
| multikv forceheader=1
| makemv delim="," portfolio
| fields - _raw linecount
When cut-and-paste for testing be sure to carefully remove the leading space on every line or it will not work.
Better yet, just dump it into a lookup file
.