https://community.splunk.com/t5/Splunk-Search/Why-is-there-forceful-termination-of-the-search-process-when/m-p/351798#M104123 <PRE><CODE>*Forcefully terminated search process with sid=1517416303.2383_ABC123 since its physical memory usage (36521.336000 MB) has exceeded the physical memory threshold specified in limits.conf/search_process_memory_usage_threshold (32768.000000 MB).* </CODE></PRE> <P>Does anyone have a solution for this issue where using stats dc(field) results in forceful termination of the search? I cannot raise the memory allowance any higher (currently 32Gb) which risks our searcher going down when a user runs this type of query. </P> <P>Obviously, it is caused by higher distinct counts but it is nothing unreasonable about the query. </P> <P>Surely, Splunk has seen this many times and has a solution?<BR /> Is there some additional configuration that will allow us to workaround the high memory consumption for this type of search?</P> Wed, 31 Jan 2018 18:07:05 GMT the_wolverine 2018-01-31T18:07:05Z https://community.splunk.com/t5/Splunk-Search/Why-is-there-forceful-termination-of-the-search-process-when/m-p/351798#M104123 <PRE><CODE>*Forcefully terminated search process with sid=1517416303.2383_ABC123 since its physical memory usage (36521.336000 MB) has exceeded the physical memory threshold specified in limits.conf/search_process_memory_usage_threshold (32768.000000 MB).* </CODE></PRE> <P>Does anyone have a solution for this issue where using stats dc(field) results in forceful termination of the search? I cannot raise the memory allowance any higher (currently 32Gb) which risks our searcher going down when a user runs this type of query. </P> <P>Obviously, it is caused by higher distinct counts but it is nothing unreasonable about the query. </P> <P>Surely, Splunk has seen this many times and has a solution?<BR /> Is there some additional configuration that will allow us to workaround the high memory consumption for this type of search?</P> Wed, 31 Jan 2018 18:07:05 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-there-forceful-termination-of-the-search-process-when/m-p/351798#M104123 the_wolverine 2018-01-31T18:07:05Z https://community.splunk.com/t5/Splunk-Search/Why-is-there-forceful-termination-of-the-search-process-when/m-p/351799#M104124 <P>Can you share your search string? How much data is this searching and for what size time window?</P> Wed, 31 Jan 2018 23:25:00 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-there-forceful-termination-of-the-search-process-when/m-p/351799#M104124 davpx 2018-01-31T23:25:00Z https://community.splunk.com/t5/Splunk-Search/Why-is-there-forceful-termination-of-the-search-process-when/m-p/351800#M104125 <P>To reduce DC memory impact you can change </P> <PRE><CODE>[stats] dc_digest_bits=9 </CODE></PRE> <P>But the result can be approximative =/</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf#.5Bstats.7Csistats.5D">limits.conf reference</A></P> Thu, 01 Feb 2018 09:41:45 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-there-forceful-termination-of-the-search-process-when/m-p/351800#M104125 jeanyvesnolen 2018-02-01T09:41:45Z https://community.splunk.com/t5/Splunk-Search/Why-is-there-forceful-termination-of-the-search-process-when/m-p/351801#M104126 <P>Yeah, estimate is not ok and in the case where it is estdc can be used. Depending on the data set, sometimes it works and other times still fails due to splunkd forcefully terminated.</P> Fri, 02 Feb 2018 22:17:33 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-there-forceful-termination-of-the-search-process-when/m-p/351801#M104126 the_wolverine 2018-02-02T22:17:33Z https://community.splunk.com/t5/Splunk-Search/Why-is-there-forceful-termination-of-the-search-process-when/m-p/351802#M104127 <P>After dealing with this for a few years, it turns out that when a dc(field) causes out of memory forceful termination, just refactor the query to use :</P> <PRE><CODE>... | stats count by field | stats count </CODE></PRE> <P>The tradeoff here is that this type of search will consume more disk, however, a reasonable amount of memory will be consumed which will less likely cause the search to be forcefully terminated due to memory. The new risk now is possible termination caused by exceeding disk quota allocated for search.</P> Tue, 06 Feb 2018 00:50:08 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-there-forceful-termination-of-the-search-process-when/m-p/351802#M104127 the_wolverine 2018-02-06T00:50:08Z https://community.splunk.com/t5/Splunk-Search/Why-is-there-forceful-termination-of-the-search-process-when/m-p/634219#M220298 <P>I had the same issue, I used that strat and I ran out of search disk memory quota.</P><P>&nbsp;</P><P>What about the chunk_size parameter? Does it make long DC() searches possible?</P> Mon, 13 Mar 2023 07:57:26 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-there-forceful-termination-of-the-search-process-when/m-p/634219#M220298 isaiz 2023-03-13T07:57:26Z