Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to restrict big search on search head which consume most of CPU and memory.

msplunk33
Path Finder
‎10-07-2020 11:10 AM

Some users sending heavy, not fine tuned searches in search head cluster and this crash our search head server. How can restrict these kind of heavy searches which consume most of CPU and memory.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

shivanshu1593
Builder
‎10-07-2020 02:49 PM

I faced a similar sort of problem with some users. Here's what I did in limits.conf. Please define it in $SPLUNK_HOME/etc/user/user_name/local/limits.conf.  Since this directory holds highest precedence for a user, their memory consumption will reduce. You'll have to do it for all the users that you want to restrict, manually.

If this seems too much of a manual work (though it's a highly effective and the best and recommended way), select an app, make it their default app and define these settings under /etc/apps/<their_default_app>/local/limits.conf. Please note, this will be effective for all the users, who will be using this app, including yourself. Also note, that if they use any other app to run and save their search, the setting would no longer be applicable to them (Hence applying to their user directories is the best solution)

enable_memory_tracker = true
search_process_memory_usage_threshold = <your desired value in MB. Defaults to 4000 (4 GB).>

 

For the part of CPU utilization, you can look into tuning their searches to run more efficiently, make them understand the value of effective searches. There's no limitation, as far as I know, that you can apply for CPU consumption. Though, reducing memory footprint will help with it a lot, as described above.

Let me know if it helps.

Thank you,

S

** If it helps. Please mark this as an accepted answer, as it helps future readers to get to the answers quickly **

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-07-2020 12:14 PM

Check out the Workload Management feature at https://docs.splunk.com/Documentation/Splunk/8.0.6/Workloads/Aboutworkloadmanagement

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

msplunk33
Path Finder
‎10-07-2020 02:27 PM

This documentation very good however it is so elaborate. Can I have a some easy mechanism to restrict the users memory and CPU usage with minimum config.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...