Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Collect jemalloc heap data to troubleshoot high memory growth contributed by search process

keio_splunk
Splunk Employee
Splunk Employee
‎09-28-2020 01:40 AM

Splunk search process is consuming high memory causing splunkd to crash. How to collect jemalloc heap data for Splunk Technical Support to troubleshoot high memory growth issues contributed by the specific search process? 

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

keio_splunk
Splunk Employee
Splunk Employee
‎09-28-2020 02:00 AM

1. Start the search process. 

2. Run top command to list the PID of the search process consuming high memory.

3. Run ps command on the search process PID to list the search artifact directory.

 

ps -ef | grep <PID>

 

4. Go to the search artifact directory path and execute the "touch save" command to be sure that it is not reaped by the dispatch reaper.

 

cd $SPLUNK_HOME/var/run/splunk/dispatch/<sid>; touch save

 

5. Create a directory to save the jemalloc heap data.

 

mkdir -p /tmp/heap

 

6. Enable jemalloc heap collection from the search artifact directory path.

 

MALLOC_CONF="prof:true,prof_accum:true,prof_leak:true,lg_prof_interval:28,prof_prefix:/tmp/heap/heap_data" $SPLUNK_HOME/bin/splunk cmd splunkd search $(cat args.txt)

 

7. Stop the search once the issue has been reproduced. 

8. Tar up the heap data files using the tar command. 

 

tar cvzf heap.tar.gz /tmp/heap

 

9. Tar up search artifact folder. 

 

tar cvzf search-artifact.tar.gz $SPLUNK_HOME/var/run/splunk/dispatch/<sid>

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

keio_splunk
Splunk Employee
Splunk Employee
‎09-28-2020 02:00 AM

1. Start the search process. 

2. Run top command to list the PID of the search process consuming high memory.

3. Run ps command on the search process PID to list the search artifact directory.

 

ps -ef | grep <PID>

 

4. Go to the search artifact directory path and execute the "touch save" command to be sure that it is not reaped by the dispatch reaper.

 

cd $SPLUNK_HOME/var/run/splunk/dispatch/<sid>; touch save

 

5. Create a directory to save the jemalloc heap data.

 

mkdir -p /tmp/heap

 

6. Enable jemalloc heap collection from the search artifact directory path.

 

MALLOC_CONF="prof:true,prof_accum:true,prof_leak:true,lg_prof_interval:28,prof_prefix:/tmp/heap/heap_data" $SPLUNK_HOME/bin/splunk cmd splunkd search $(cat args.txt)

 

7. Stop the search once the issue has been reproduced. 

8. Tar up the heap data files using the tar command. 

 

tar cvzf heap.tar.gz /tmp/heap

 

9. Tar up search artifact folder. 

 

tar cvzf search-artifact.tar.gz $SPLUNK_HOME/var/run/splunk/dispatch/<sid>

 

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...