Deployment Architecture

Splunk hight monitoring memory vs VM low memory used

_olivier_
Explorer

Hi splunkers !

 

I got a question about memory. 

 

In my splunk monitoring console, I get approx 90% of memory used by splunk processes. The amount of memory is 48 Gb

In my VCenter, I can see that only half of the assigned memory is used (approx 24 Gb over 48Gb available).

 

Who is telling me the truth : Splunk monitoring or Vcenter.

And overall, is there somthing to configure in Splunk to fit the entire available memory.

 

Splunk 9.2.2 / redhat 7.8

Thank you .

 

Olivier.

Labels (2)
0 Karma
1 Solution

dural_yyz
Builder

Splunk information is a snap shot in time and reflects the reality every 10 seconds.

https://docs.splunk.com/Documentation/Splunk/9.3.1/RESTREF/RESTintrospect#server.2Fstatus.2Fresource...

index=_introspection sourcetype=splunk_resource_usage component=Hostwide
| eval pct_mem=round(('data.mem_used'/'data.mem')*100,2)
| timechart span=10s max(pct_mem) as pct_mem

That will give you the overall view.

index=_introspection sourcetype=splunk_resource_usage component=PerProcess "data.mem_used"="*"
| rename data.* as *
| timechart span=10s max(mem_used) as mem_used by process_type

This will break it down by process over time.

 

Review with your VM metrics, perhaps VMC is reporting averages or median per time period.

View solution in original post

0 Karma

_olivier_
Explorer

Hi, there were average values due to time period too large.

0 Karma

dural_yyz
Builder

Splunk information is a snap shot in time and reflects the reality every 10 seconds.

https://docs.splunk.com/Documentation/Splunk/9.3.1/RESTREF/RESTintrospect#server.2Fstatus.2Fresource...

index=_introspection sourcetype=splunk_resource_usage component=Hostwide
| eval pct_mem=round(('data.mem_used'/'data.mem')*100,2)
| timechart span=10s max(pct_mem) as pct_mem

That will give you the overall view.

index=_introspection sourcetype=splunk_resource_usage component=PerProcess "data.mem_used"="*"
| rename data.* as *
| timechart span=10s max(mem_used) as mem_used by process_type

This will break it down by process over time.

 

Review with your VM metrics, perhaps VMC is reporting averages or median per time period.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...