https://community.splunk.com/t5/Knowledge-Management/High-RAM-usage-on-Splunk-Indexer/m-p/157189#M7631 <P>Thank-you so much for the quick reply and excellent suggestions. I will educate my users, would you be able to supply me with a sample search that I can use to determine long running searches please.</P> Wed, 27 Nov 2013 16:23:47 GMT rdelmark 2013-11-27T16:23:47Z https://community.splunk.com/t5/Knowledge-Management/High-RAM-usage-on-Splunk-Indexer/m-p/157187#M7629 <P>At times I have seen users run searches like index=* and let it run, (this user only has restricted access to 3 indexes of our 35 total), this search take up to 7GB of RAM on the Splunk Indexer.</P> <P>How can we control this, we have 100 Splunk users. In the past some users have pushed the Splunk indexer RAM usage up to 99% and froze the Splunk indexer.</P> Tue, 26 Nov 2013 21:46:00 GMT https://community.splunk.com/t5/Knowledge-Management/High-RAM-usage-on-Splunk-Indexer/m-p/157187#M7629 rdelmark 2013-11-26T21:46:00Z https://community.splunk.com/t5/Knowledge-Management/High-RAM-usage-on-Splunk-Indexer/m-p/157188#M7630 <P>Although <CODE>index=*</CODE> is a pretty bad search, it is also a legitimate one, so you can't really use any search filters. There are several things that you can do here but none of them will pay better than <STRONG>educating your users</STRONG>. Other solutions include, (1) changing the default Time Range Picker from All Time to Last 60min or Last 24hr, and/or (2) getting alerted on long running searches and taking corresponding action to kill the offending process. </P> Wed, 27 Nov 2013 00:16:56 GMT https://community.splunk.com/t5/Knowledge-Management/High-RAM-usage-on-Splunk-Indexer/m-p/157188#M7630 _d_ 2013-11-27T00:16:56Z https://community.splunk.com/t5/Knowledge-Management/High-RAM-usage-on-Splunk-Indexer/m-p/157189#M7631 <P>Thank-you so much for the quick reply and excellent suggestions. I will educate my users, would you be able to supply me with a sample search that I can use to determine long running searches please.</P> Wed, 27 Nov 2013 16:23:47 GMT https://community.splunk.com/t5/Knowledge-Management/High-RAM-usage-on-Splunk-Indexer/m-p/157189#M7631 rdelmark 2013-11-27T16:23:47Z https://community.splunk.com/t5/Knowledge-Management/High-RAM-usage-on-Splunk-Indexer/m-p/157190#M7632 <P>Thank-you so much for the quick reply and excellent suggestions. I will educate my users, would you be able to supply me with a sample search that I can use to determine long running searches please.</P> Wed, 27 Nov 2013 16:24:08 GMT https://community.splunk.com/t5/Knowledge-Management/High-RAM-usage-on-Splunk-Indexer/m-p/157190#M7632 rdelmark 2013-11-27T16:24:08Z https://community.splunk.com/t5/Knowledge-Management/High-RAM-usage-on-Splunk-Indexer/m-p/157191#M7633 <P>There are several ways to get that information. But first I would use the _audit index to identify users with historically long running searches and inform them appropriately. Next, to determine <EM>currently</EM> long running searches I would use the following search <CODE>| rest /services/search/jobs | search dispatchState=RUNNING | table dispatchState runDuration title</CODE> and check the <CODE>runDuration</CODE> field for excessive values - whatever that means in your context.</P> Wed, 27 Nov 2013 16:37:57 GMT https://community.splunk.com/t5/Knowledge-Management/High-RAM-usage-on-Splunk-Indexer/m-p/157191#M7633 _d_ 2013-11-27T16:37:57Z