Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunkd process on the indexer in clustering using too much RAM

ssankeneni
Communicator
‎08-27-2013 06:44 AM

Hi,

Splunkd process running on the indexers in using more RAM memory .

With in last 7 days it has increased the usage from 9.8% to 70% on 20 GB RAM. It is killing the Splunk process after reaching the max. I'm using 5.0.2 Splunk on a linux VM. I'm using a nix app
and the memory by process is this
Resident_MB Virtual_MB Percentage Memory
splunkd 13379.101562 14352.585938 66.6

How to solve the issue ?

Reply

yannK
Splunk Employee
Splunk Employee
‎08-27-2013 07:27 AM
  • Did it started after you configured clustering ? (if yes, how many indexers do you have, what is your replication factor and your search factor)
  • do you have index time anonymization (sedcmd), or or index time filters using expensive Regexes ?
0 Karma
Reply

jkerai
Splunk Employee
Splunk Employee
‎10-04-2013 01:49 PM

Clustering is not expected to use 20GB of RAM. In our tests we have not seen it go over 3GB. So, I would think that there is a associated memory leak. Which version of splunk is it? Please file a support case and we will help find the leak.

0 Karma
Reply

ssankeneni
Communicator
‎08-27-2013 08:47 AM

I'm aware of this but I thought splunk supports this.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎08-27-2013 08:01 AM

Clustering is expensive :
- multiple all the disk space requirements by the replication factor.
- more network traffic
- more disk i/o
- more processing of the copies of the replicated buckets.

And it also can be resource intensive, if all the events have to be parsed twice at index time ( if you required multiple copies of the buckets to be searchable with a search factor > 1 ).

Reply

ssankeneni
Communicator
‎08-27-2013 07:51 AM

Yes, This has started after enabling the clustering. I don't have any index time anonymization or index time filtering.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...