Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk hight monitoring memory vs VM low memory used

_olivier_
Path Finder
‎10-08-2024 04:58 AM

Hi splunkers !

 

I got a question about memory. 

 

In my splunk monitoring console, I get approx 90% of memory used by splunk processes. The amount of memory is 48 Gb

In my VCenter, I can see that only half of the assigned memory is used (approx 24 Gb over 48Gb available).

 

Who is telling me the truth : Splunk monitoring or Vcenter.

And overall, is there somthing to configure in Splunk to fit the entire available memory.

 

Splunk 9.2.2 / redhat 7.8

Thank you .

 

Olivier.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dural_yyz
Motivator
‎10-08-2024 07:23 AM

Splunk information is a snap shot in time and reflects the reality every 10 seconds.

https://docs.splunk.com/Documentation/Splunk/9.3.1/RESTREF/RESTintrospect#server.2Fstatus.2Fresource...

index=_introspection sourcetype=splunk_resource_usage component=Hostwide
| eval pct_mem=round(('data.mem_used'/'data.mem')*100,2)
| timechart span=10s max(pct_mem) as pct_mem

That will give you the overall view.

index=_introspection sourcetype=splunk_resource_usage component=PerProcess "data.mem_used"="*"
| rename data.* as *
| timechart span=10s max(mem_used) as mem_used by process_type

This will break it down by process over time.

 

Review with your VM metrics, perhaps VMC is reporting averages or median per time period.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

_olivier_
Path Finder
‎10-14-2024 01:02 AM

Hi, there were average values due to time period too large.

0 Karma
Reply
Solved! Jump to solution
Solution

dural_yyz
Motivator
‎10-08-2024 07:23 AM

Splunk information is a snap shot in time and reflects the reality every 10 seconds.

https://docs.splunk.com/Documentation/Splunk/9.3.1/RESTREF/RESTintrospect#server.2Fstatus.2Fresource...

index=_introspection sourcetype=splunk_resource_usage component=Hostwide
| eval pct_mem=round(('data.mem_used'/'data.mem')*100,2)
| timechart span=10s max(pct_mem) as pct_mem

That will give you the overall view.

index=_introspection sourcetype=splunk_resource_usage component=PerProcess "data.mem_used"="*"
| rename data.* as *
| timechart span=10s max(mem_used) as mem_used by process_type

This will break it down by process over time.

 

Review with your VM metrics, perhaps VMC is reporting averages or median per time period.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...