Hello,
One of the dashboards has a makeresults query like below, with about 250 append statements.
| makeresults| eval active="true"| makemv delim="," active| eval code="1234"| makemv delim="," code| eval portfolio="ABC"| makemv delim="," portfolio| eval applicative=null| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra=null| makemv delim="," infra| eval interfaces=null| makemv delim="," interfaces| eval id="0001"| makemv delim="," id
| append [| makeresults| eval active="true"| makemv delim="," active| eval code="2345"| makemv delim="," code| eval portfolio="ABC,PQR"| makemv delim="," portfolio| eval applicative=null| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra="Infra2"| makemv delim="," infra| eval interfaces="Infra2"| makemv delim="," interfaces| eval id="0002"| makemv delim="," id]
| append [| makeresults| eval active="true"| makemv delim="," active| eval code="3456"| makemv delim="," code| eval portfolio="ABC,PQR"| makemv delim="," portfolio| eval applicative=" list missing for the application"| makemv delim="," applicative| eval availability=null| makemv delim="," availability| eval infra=null| makemv delim="," infra| eval interfaces=null| makemv delim="," interfaces| eval id="0003"| makemv delim="," id]
.... and so on
The query gets executed fine on Splunk v7.0 but is stuck on v7.3. The job progress remains at 0% and gets stuck.
I tried updating the configuration in limits.conf but in vain.
max_mem_usage_mb = 500
[searchresults]
maxresultrows = 86400
Has anyone faced such a problem in v7.3.3?
If I decrease the append statements to say 180, the query gets executed. So, it seems the issue is related to memory/result size but I haven't found any solution yet.
Thanks in advance.
... View more