Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to restrict big search on search head which consume most of CPU and memory.

msplunk33
Path Finder
‎10-07-2020 11:10 AM

Some users sending heavy, not fine tuned searches in search head cluster and this crash our search head server. How can restrict these kind of heavy searches which consume most of CPU and memory.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

shivanshu1593
Builder
‎10-07-2020 02:49 PM

I faced a similar sort of problem with some users. Here's what I did in limits.conf. Please define it in $SPLUNK_HOME/etc/user/user_name/local/limits.conf.  Since this directory holds highest precedence for a user, their memory consumption will reduce. You'll have to do it for all the users that you want to restrict, manually.

If this seems too much of a manual work (though it's a highly effective and the best and recommended way), select an app, make it their default app and define these settings under /etc/apps/<their_default_app>/local/limits.conf. Please note, this will be effective for all the users, who will be using this app, including yourself. Also note, that if they use any other app to run and save their search, the setting would no longer be applicable to them (Hence applying to their user directories is the best solution)

enable_memory_tracker = true
search_process_memory_usage_threshold = <your desired value in MB. Defaults to 4000 (4 GB).>

 

For the part of CPU utilization, you can look into tuning their searches to run more efficiently, make them understand the value of effective searches. There's no limitation, as far as I know, that you can apply for CPU consumption. Though, reducing memory footprint will help with it a lot, as described above.

Let me know if it helps.

Thank you,

S

** If it helps. Please mark this as an accepted answer, as it helps future readers to get to the answers quickly **

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-07-2020 12:14 PM

Check out the Workload Management feature at https://docs.splunk.com/Documentation/Splunk/8.0.6/Workloads/Aboutworkloadmanagement

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

msplunk33
Path Finder
‎10-07-2020 02:27 PM

This documentation very good however it is so elaborate. Can I have a some easy mechanism to restrict the users memory and CPU usage with minimum config.

Tags (1)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...