Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk hight monitoring memory vs VM low memory used

_olivier_
Path Finder
‎10-08-2024 04:58 AM

Hi splunkers !

 

I got a question about memory. 

 

In my splunk monitoring console, I get approx 90% of memory used by splunk processes. The amount of memory is 48 Gb

In my VCenter, I can see that only half of the assigned memory is used (approx 24 Gb over 48Gb available).

 

Who is telling me the truth : Splunk monitoring or Vcenter.

And overall, is there somthing to configure in Splunk to fit the entire available memory.

 

Splunk 9.2.2 / redhat 7.8

Thank you .

 

Olivier.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dural_yyz
Motivator
‎10-08-2024 07:23 AM

Splunk information is a snap shot in time and reflects the reality every 10 seconds.

https://docs.splunk.com/Documentation/Splunk/9.3.1/RESTREF/RESTintrospect#server.2Fstatus.2Fresource...

index=_introspection sourcetype=splunk_resource_usage component=Hostwide
| eval pct_mem=round(('data.mem_used'/'data.mem')*100,2)
| timechart span=10s max(pct_mem) as pct_mem

That will give you the overall view.

index=_introspection sourcetype=splunk_resource_usage component=PerProcess "data.mem_used"="*"
| rename data.* as *
| timechart span=10s max(mem_used) as mem_used by process_type

This will break it down by process over time.

 

Review with your VM metrics, perhaps VMC is reporting averages or median per time period.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

_olivier_
Path Finder
‎10-14-2024 01:02 AM

Hi, there were average values due to time period too large.

0 Karma
Reply
Solved! Jump to solution
Solution

dural_yyz
Motivator
‎10-08-2024 07:23 AM

Splunk information is a snap shot in time and reflects the reality every 10 seconds.

https://docs.splunk.com/Documentation/Splunk/9.3.1/RESTREF/RESTintrospect#server.2Fstatus.2Fresource...

index=_introspection sourcetype=splunk_resource_usage component=Hostwide
| eval pct_mem=round(('data.mem_used'/'data.mem')*100,2)
| timechart span=10s max(pct_mem) as pct_mem

That will give you the overall view.

index=_introspection sourcetype=splunk_resource_usage component=PerProcess "data.mem_used"="*"
| rename data.* as *
| timechart span=10s max(mem_used) as mem_used by process_type

This will break it down by process over time.

 

Review with your VM metrics, perhaps VMC is reporting averages or median per time period.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...