Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I generate a search which uses lots of memory?

danielbb
Motivator
‎05-20-2020 12:24 PM

We are about to enable the enable_memory_tracker feature.

We'll use -

enable_memory_tracker = true 
search_process_memory_usage_percentage_threshold = 13
search_process_memory_usage_threshold = 4000

In order to test it, how can I generate searches that consume gigabytes of memory?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

codebuilder
Influencer
‎05-20-2020 05:44 PM

Use EventGen (https://splunkbase.splunk.com/app/1924/) to generate thousands or millions of random events containing dozens or hundreds of fields, and spanning several years.

Send those events to the index of your choice.

Then run a verbose, all-time search using:

index=your_index_name_here |table *

A similar approach which doesn't require EventGen would be to take a sample file such as /var/log/messages, and use a bash script or simple for loop to copy it a gazillion times to some directory, while changing the file name each time, and ingest all those using a forwarder to populate your index. Then run the same search as described.

Either should work. I'm sure there are other solutions as well, but those two options come to mind first...

----
An upvote would be appreciated and Accept Solution if it helps!
Reply

danielbb
Motivator
‎05-21-2020 06:46 AM

The query (index=* OR index=_*) | table * did it and it produced the message in the UI, saying -

-- The search processs with sid=1590066363.14344 was forcefully terminated because its physical memory usage (6456.715000 MB) has exceeded the 'search_process_memory_usage_threshold' (4000.000000 MB) setting in limits.conf.

Where do we enable the MC admin message for this case, when it happens?

0 Karma
Reply

codebuilder
Influencer
‎05-21-2020 02:31 PM

Glad to hear that worked for you 😄 !

There's a canned DMC alert for this you can enable named "DMC Alert - Critical System Physical Memory Usage".

Or, you can create your own, obviously.

If you feel like this reply solved your issue please consider accepting the answer, so others can benefit as well.

----
An upvote would be appreciated and Accept Solution if it helps!
Reply

danielbb
Motivator
‎05-24-2020 02:48 PM

Right @codebuilder, but it's a generic message. It seems that the index=_internal sourcetype=splunkd component=SearchProcessMemoryTracker event_message="*Forcefully terminated*" brings data about these cases.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...