Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Amazon Linux 2023 performance troubleshooting

briancronrath
Contributor
‎02-01-2026 09:53 PM

I have been tasked with building out new instances of anything that runs an older OS, and for our EC2 instances this most often means I have to rebuild the instance on Amazon Linux 2023.  What I've noticed, particularly with our heavy forwarders, is that they are constantly dying and ballooning memory to 100% with no rhyme or reason as to why (not heavy load, happens to random servers at random times, and there should be no world where the memory even comes close to getting consumed considering the low level of traffic for the servers in question which are in our lab environment).  

We're running splunk version 10.0.2

Nothing helpful ever in the logs aside from indications that it ran OOM.  I've randomly tested with making absurdly large instances to see if the issue still occurs and sure enough it does, there's not enough memory in the world to handle whatever error seems to be occurring, so it seems to be something more akin to a bug that's occurring.

I'm curious if anyone else has ran into issues with AL2023 and running Splunk?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-02-2026 12:13 PM

This is not very probable that it's your case but I had such behaviour (and it was on HFs as in your case) when the KV-store was not fully upgraded.

For some reason the HFs didn't fully migrate from the previous engine to wiredtiger. The files on the disk were still from the pre-wiredtiger mongo but the configuration suggested it was wiredtiger. As a result, the kvstore would start but after a very short time would die. And splunkd would start pumping up memory usage up to the point when OOM would kill it. Then the service would get automatically restarted and fun would start again.

We had a "cluster" of 4 intermediate HF and they were restarting one at a time so we actually found out about it kinda by accident.

But it was 9.0. I'm not sure if your 10.0.2 would even try to start not having fully migrated to wiredtiger.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...