Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- unable to solve "mvexpand: output will be truncate...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
unable to solve "mvexpand: output will be truncated due to excessive memory usage."
Hello,
I am running into an issue with some spath and mvexpand functions in splunk. I get the following error: "output will be truncated at 3700 results due to excessive memory usage."
after searching here few previous answer worked. However it is not working out for me
Here is my search
index=ehub-loop
|rex "(?:((?:\[BEGIN LOGGING AT (?<Event_Timestamp>.*)\]\n)?)((?:(?P<Event_log_entry>(?s).*)\n)?)((?:\[END LOGGING])?))" offset_field=_extracted_fields_bounds
| rex field=Event_log_entry max_match=0 "^(?<single_log_entry>.+)\n*" offset_field=_extracted_fields_bounds
| mvexpand single_log_entry
| rex field=single_log_entry "(?P<log_Timestamp>\d{4}\-\d{2}\-\d{2}\s\d{2}:\d{2}:\d{2}\,\d{3})\s+(?P<log_level>[^ ]+)\s+\[(?P<Thread_Number>[^ ]+)\]\s+(?P<Class_Name>[^ ]+)\s+\-\s+(?P<log_msg>(?s).*)" offset_field=_extracted_fields_bounds
|stats count(Class_Name) as Error_Count by Class_Name,log_level,log_msg
Each event will be like
[BEGIN LOGGING AT 2021-05-20 21:00:12,505]
2021-05-21 12:09:40,460 Loglevel [Threadid] Classname - logmsg
2021-05-21 12:09:40,476 Loglevel [Threadid] Classname - logmsg
2021-05-21 12:09:40,507 Loglevel [Threadid] Classname - logmsg
2021-05-21 12:09:40,507 Loglevel [Threadid] Classname - logmsg
2021-05-21 12:09:40,522 Loglevel [Threadid] Classname - logmsg
[END LOGGING]
Please help me out
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please try this?
index=ehub-loop
| rex "(?:((?:\[BEGIN LOGGING AT (?<Event_Timestamp>.*)\]\n)?)((?:(?P<Event_log_entry>(?s).*)\n)?)((?:\[END LOGGING])?))" offset_field=_extracted_fields_bounds
| rex field=Event_log_entry max_match=0 "^(?<single_log_entry>.+)\n*" offset_field=_extracted_fields_bounds
| stats count by single_log_entry
| rex field=single_log_entry "(?P<log_Timestamp>\d{4}\-\d{2}\-\d{2}\s\d{2}:\d{2}:\d{2}\,\d{3})\s+(?P<log_level>[^ ]+)\s+\[(?P<Thread_Number>[^ ]+)\]\s+(?P<Class_Name>[^ ]+)\s+\-\s+(?P<log_msg>(?s).*)" offset_field=_extracted_fields_bounds
| stats sum(count) as Error_Count by Class_Name,log_level,log_msg
My Sample Search :
| makeresults | eval _raw="[BEGIN LOGGING AT 2021-05-20 21:00:12,505]
2021-05-21 12:09:40,460 Loglevel [Threadid] Classname - logmsg
2021-05-21 12:09:40,476 Loglevel [Threadid] Classname - logmsg
2021-05-21 12:09:40,507 Loglevel [Threadid] Classname - logmsg
2021-05-21 12:09:40,507 Loglevel [Threadid] Classname - logmsg
2021-05-21 12:09:40,522 Loglevel [Threadid] Classname - logmsg
[END LOGGING]
" | multikv
| rex "(?:((?:\[BEGIN LOGGING AT (?<Event_Timestamp>.*)\]\n)?)((?:(?P<Event_log_entry>(?s).*)\n)?)((?:\[END LOGGING])?))" offset_field=_extracted_fields_bounds
| rex field=Event_log_entry max_match=0 "^(?<single_log_entry>.+)\n*" offset_field=_extracted_fields_bounds
| stats count by single_log_entry
| rex field=single_log_entry "(?P<log_Timestamp>\d{4}\-\d{2}\-\d{2}\s\d{2}:\d{2}:\d{2}\,\d{3})\s+(?P<log_level>[^ ]+)\s+\[(?P<Thread_Number>[^ ]+)\]\s+(?P<Class_Name>[^ ]+)\s+\-\s+(?P<log_msg>(?s).*)" offset_field=_extracted_fields_bounds
| stats sum(count) as Error_Count by Class_Name,log_level,log_msg
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco
Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data
Your summer travels continue with new course releases
