https://community.splunk.com/t5/Getting-Data-In/How-to-investigate-crashing-indexer/m-p/426056#M74667 <P>Our indexers are in a cluster. We have 4 indexers and they are crashing once a week, I do not how to start investigating. <BR /> I tried several ways but not able to identify anything with that.</P> <P>1) Whenever they crash, CPU load and memory and swap will be exhausted. It only happened during the crash time most of the time they are so less utilized.</P> <P>free -g<BR /> total used free shared buffers cached<BR /> Mem: 11 10 0 0 0 9<BR /> -/+ buffers/cache: 0 10<BR /> Swap: 3 0 3</P> <P>2) Also, we are seeing one accelerated search the is getting completed during this time.</P> <P>Just let me know if any there is any info I should provide.</P> <P>Please help us with this.</P> Fri, 02 Aug 2019 19:14:32 GMT shivanandbm 2019-08-02T19:14:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-investigate-crashing-indexer/m-p/426056#M74667 <P>Our indexers are in a cluster. We have 4 indexers and they are crashing once a week, I do not how to start investigating. <BR /> I tried several ways but not able to identify anything with that.</P> <P>1) Whenever they crash, CPU load and memory and swap will be exhausted. It only happened during the crash time most of the time they are so less utilized.</P> <P>free -g<BR /> total used free shared buffers cached<BR /> Mem: 11 10 0 0 0 9<BR /> -/+ buffers/cache: 0 10<BR /> Swap: 3 0 3</P> <P>2) Also, we are seeing one accelerated search the is getting completed during this time.</P> <P>Just let me know if any there is any info I should provide.</P> <P>Please help us with this.</P> Fri, 02 Aug 2019 19:14:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-investigate-crashing-indexer/m-p/426056#M74667 shivanandbm 2019-08-02T19:14:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-investigate-crashing-indexer/m-p/426057#M74668 <P>There are some helpful searches in case of crash:</P> <P>1) When did Splunk last crash?</P> <PRE><CODE>index=_internal sourcetype=splunkd_crash_log | stats count by host </CODE></PRE> <P>2) Show me all Splunk restarts based on loader?</P> <PRE><CODE>index=_internal sourcetype=splunkd loader message=*xml </CODE></PRE> <P>3) Lengthy search?</P> <PRE><CODE>index="_audit" action="search" (id=* OR search_id=*) | eval user=if(user=="n/a",null(),user) | stats max(total_run_time) as total_run_time first(user) as user by search_id | stats count perc95(total_run_time) median(total_run_time) by user </CODE></PRE> <P>You might need to check <CODE>Monitoring Console &gt;&gt; Resource Usage</CODE> to check memory and disk space usage within crash time period.</P> Fri, 02 Aug 2019 20:41:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-investigate-crashing-indexer/m-p/426057#M74668 mayurr98 2019-08-02T20:41:59Z https://community.splunk.com/t5/Getting-Data-In/How-to-investigate-crashing-indexer/m-p/426058#M74669 <P>Thanks alot for replying. I am not getting any output in crash search and restart based on loader search.<BR /> Splunk system user are the top performer during that time.<BR /> Also memory and swap are completely exhausted and then our splunk process stopped in the indexer..I restarted manually.</P> <P>just want to know why the memory and swap are getting exhausted for short duration of time. also i see high load during that time.</P> <P>also i had seen all the forwarders are disconnected during that time as i got forwarder missing alerts for so many forwarders.</P> <P>I am not seeing anything in crashlog..</P> <P>Our splunk process stopped and i restarted it manually.</P> <P>Regards,Shivanand</P> Sat, 03 Aug 2019 05:00:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-investigate-crashing-indexer/m-p/426058#M74669 shivanandbm 2019-08-03T05:00:12Z