Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

High swap space observed in HF ?

narisree1
Loves-to-Learn Everything
‎10-21-2020 04:30 AM

We are getting alert from our LInux team stating high swap space observed for splunkd process on the Heavy forwarder which also acts as a syslog server .

Below command is said to be consuming

splunkd --under-systemd --systemd-delegate=yes -p 8089 _internal_launch_under_systemd
 
PID      USER PR  NI  VIRT           RES        SHR     S      %CPU  %MEM   TIME+     COMMAND
5580 splunk 20 0 4966352 878220 15516  S         57.8         5.4     5028:07   splunk
 
SWAP TOTAL = 4617084928 bytes
SWAP USED = 4617084928 bytes
 
Please let me know what should be done to fix this issue .
Labels (1)
0 Karma
Reply

narisree1
Loves-to-Learn Everything
‎10-21-2020 07:06 AM

Well there is 1 TB of space and only 9 % is used with respective to the storage space . Issue observed is that the CPU usage goes beyond 100% and memory space utilization is high  . 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2020 06:36 AM

Using swap is not abnormal.  A process that needs a lot of memory to handle a lot of data will swap when it needs more memory.

When you say "HF which also acts as a syslog server" does that mean syslog events are received on port 514 of the HF?  If so, that's sub-optimal.  Use a real, dedicated syslog server (like rsyslog or syslog-ng) with a universal forwarder.  Even better is the Splunk Connect for Syslog (SC4S) app, which is a Docker app that receives syslog and forwards it to HEC inputs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...