Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

High RAM usage on Splunk Indexer

rdelmark
Explorer
‎11-26-2013 01:46 PM

At times I have seen users run searches like index=* and let it run, (this user only has restricted access to 3 indexes of our 35 total), this search take up to 7GB of RAM on the Splunk Indexer.

How can we control this, we have 100 Splunk users. In the past some users have pushed the Splunk indexer RAM usage up to 99% and froze the Splunk indexer.

Tags (2)
0 Karma
Reply

rdelmark
Explorer
‎11-27-2013 08:23 AM

Thank-you so much for the quick reply and excellent suggestions. I will educate my users, would you be able to supply me with a sample search that I can use to determine long running searches please.

0 Karma
Reply

_d_
Splunk Employee
Splunk Employee
‎11-26-2013 04:16 PM

Although index=* is a pretty bad search, it is also a legitimate one, so you can't really use any search filters. There are several things that you can do here but none of them will pay better than educating your users. Other solutions include, (1) changing the default Time Range Picker from All Time to Last 60min or Last 24hr, and/or (2) getting alerted on long running searches and taking corresponding action to kill the offending process.

Reply

_d_
Splunk Employee
Splunk Employee
‎11-27-2013 08:37 AM

There are several ways to get that information. But first I would use the _audit index to identify users with historically long running searches and inform them appropriately. Next, to determine currently long running searches I would use the following search | rest /services/search/jobs | search dispatchState=RUNNING | table dispatchState runDuration title and check the runDuration field for excessive values - whatever that means in your context.

0 Karma
Reply

rdelmark
Explorer
‎11-27-2013 08:24 AM

Thank-you so much for the quick reply and excellent suggestions. I will educate my users, would you be able to supply me with a sample search that I can use to determine long running searches please.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...