Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Datamodel Acceleration Consuming High Memory at certain times of the day

nh2017
Observer
‎03-04-2021 02:55 PM

Hi Everyone,

Our environment consists of an indexer cluster and independent SHs. ES runs on a single SH. We are seeing memory usage spikes on indexer at certain times of the day/night. There is no consistency or pattern to this. Resource usage drops after a few hour usually without much intervention. Sometimes a peer is considered "down" when there is excessive memory and cpu usage on that peer. When this happens, the cluster tries to recover which causes a lot of unnecessary "bucket fixup". We have not upgraded the servers recently or updated ES.  I can provide more details based on your questions. Here are a few observations:

1. When the memory spikes on indexers, there are multiple executions of the datamodel accelerations running during the same instant (referring to the _time). Count is 2 or 3. Max concurrency for datamodels is set to 3.  At other times (when memory usage is low), only 1 execution is seen.  Please see below for clarification of the count I am referring to:

Screen Shot 2021-03-04 at 5.47.17 PM.png

 

2.  On some days, search concurrency in the cluster was too high (over 200). Am working on reducing the number of concurrent searches allowed on SH and available to scheduled searches. But this is also not consistent. For example, we did not have that many concurrent users or searches in the environment but we still had high memory usage across indexers. 

Any help or insight would be appreciated. Working with support as well but it's unclear why the datamodels suddenly push the indexers to use over 80% of memory. Our machines are over-provisioned for the most part. 

For example, the acceleration. that normally takes less than 3G would suddenly take over 5G or 9G of memory

 

Thanks!

 

 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-05-2021 06:20 AM

Memory use is related to the number of events processed by the datamodel.  Is it possible the periods of high utilization are during times of increased data ingestion?  That would mean the DM has to process more events and therefore use more memory.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

nh2017
Observer
‎03-05-2021 10:52 AM

Hi @richgalloway ,

On some days, there was an increase in indexing rate prior to the DM concurrent accelerations being kicked off.  On other days, ingestion went down significantly just before we got the high memory alert.

0 Karma
Reply
Get Updates on the Splunk Community!

Community Feedback

We Want to Hear from You! Share Your Feedback on the Splunk Community   The Splunk Community is built for you ...

Manual Instrumentation with Splunk Observability Cloud: Implementing the ...

In our observability journey so far, we've built comprehensive instrumentation for our Worms in Space ...

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...