My query after finalizing for some time , gives me, The search processs with sid= was forcefully terminated because its physical memory usage has exceeded the 'search_process_memory_usage_threshol...
See more...
My query after finalizing for some time , gives me, The search processs with sid= was forcefully terminated because its physical memory usage has exceeded the 'search_process_memory_usage_threshold' setting in limits.conf. I am not allowed to increase memory... Any suggestion how to tweak the query to avoid forceful termination? ================= (index=bsa) sourcetype=wf:esetext:user_banks:db OR sourcetype=wf:esetext:soc_sare_data:db au!="0*" | stats values(bank_name) as bank_name , values(bank_type) as type , values(pwd_expires) as pwd_expires , values(is_interactive) as is_interactive , values(au_owner_name) as au_owner_name , values(au_owner_email) as au_owner_email , values(service_bank_name) as service_bank_name , values(owner_elid) as owner_elid, , values(manager_name) as manager_name BY au | eval bank_name=coalesce(bank_name,service_bank_name) | eval user=lower(bank_name) | dedup user | rex field=user "[^:]+:(?<user>[^\s]+)" | fields - bank_name | stats values(au_owner_email) as au_owner_email , values(au_owner_name) as au_owner_name , values(owner_elid) as owner_elid , max(manager_name) as manager_name BY user ,service_bank_name ,type ,pwd_expires ,is_interactive