Splunk:command.mvexpand: output will be truncated at 300 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached.

By:
On:
In: General
With: 0 Comments

I have a query:

| curl uri=https://myserver/users_list.json | table curl_message  | eval curl_message="{\"body\":" + curl_message + "}" | spath input=curl_message output=b path=body{} | mvexpand b | eval _raw=b | extract | fillnull value="None" | table name,email,role

Then i got this mvexpand gives “mvexpand output will be truncated due to excessive memory usage”

My fix is to remove some fields not necessary : | fields – _raw,curl_message 

| curl uri=https://myserver/users_list.json | table curl_message  | eval curl_message="{\"body\":" + curl_message + "}" | spath input=curl_message output=b path=body{} | fields - _raw,curl_message  | mvexpand b | eval _raw=b | extract | fillnull value="None" | table name,email,role

Leave a Reply

Your email address will not be published. Required fields are marked *