Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does an AIX 6.5.2 forwarder have high swap/memory and cpu consumption?

ddrillic
Ultra Champion
‎12-04-2017 02:43 PM

We see the following - 

sh-4.2$ ps avwx | head -1; ps avwx | sort +4n -r | head -10
      PID    TTY STAT  TIME PGIN  SIZE   RSS   LIM  TSIZ   TRS %CPU %MEM COMMAND
  7274610      - A    51121:15 3427531 1739848 749560    xx 100303  9692  1.0  8.0 splunkd -p 8089 start

What can it be?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎12-04-2017 11:34 PM

I suspect you are misinterpreting the stats if the question is correct, I would suggest you use svmon in AIX to accurately determine the memory in use.
Reading your question you appear to be using 1% CPU.

Here's how to measure memory use in AIX:
svmon -P 7274610 -O unit=MB

I checked two production forwarders, a 6.5.2 instance was:
Pid Command Inuse Pin Pgsp Virtual
22937622 splunkd 1570.29 39.6 0 300.84

Another instance I checked 7.0.0:
Pid Command Inuse Pin Pgsp Virtual
57540776 splunkd 1185.07 256.23 4.55 558.29

Both show 1% CPU in the ps command, you might like to open topas in AIX and see if you are seeing high CPU by Splunk.

If you are looking for a more comprehensive monitoring solution I use the Nmon application for Splunk on AIX servers (and Linux) , the official Splunk add on for unix is here and the app is here

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎12-04-2017 11:34 PM

I suspect you are misinterpreting the stats if the question is correct, I would suggest you use svmon in AIX to accurately determine the memory in use.
Reading your question you appear to be using 1% CPU.

Here's how to measure memory use in AIX:
svmon -P 7274610 -O unit=MB

I checked two production forwarders, a 6.5.2 instance was:
Pid Command Inuse Pin Pgsp Virtual
22937622 splunkd 1570.29 39.6 0 300.84

Another instance I checked 7.0.0:
Pid Command Inuse Pin Pgsp Virtual
57540776 splunkd 1185.07 256.23 4.55 558.29

Both show 1% CPU in the ps command, you might like to open topas in AIX and see if you are seeing high CPU by Splunk.

If you are looking for a more comprehensive monitoring solution I use the Nmon application for Splunk on AIX servers (and Linux) , the official Splunk add on for unix is here and the app is here

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-04-2017 02:51 PM

Try accessing this REST endpoint on your UF https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus to see how may files are being monitored. High numbers of monitored files can cause such behaviour ...

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎12-04-2017 02:56 PM

@MuS - only two files are being monitored ...

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-04-2017 03:38 PM

How many directories needs to be scanned by the UF to reach those two files? Also can you try truss the process and see what it actually does?

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎12-04-2017 03:52 PM

Barely five directories and explicit two files to monitor ; - ) maybe an AIX specific issue?

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-04-2017 05:09 PM

Actually looking at the numbers are 1% CPU and 8% memory usage really that high? Does vmstat provide some hints where the potential bottleneck could be?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...