Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does the search process need so much memory for one simple query with the data for ONE(!) day?

anton_kiryushki
Explorer
‎12-27-2019 05:25 AM

Hello.

I'm using Splunk Enterprise 7.2.6 and I'm trying to export some data from past with command below:

/path/to/splunk search "index=my_index earliest=12/02/2018:00:00:00 latest=12/03/2018:23:59:00" -output rawdata -maxout 0 -auth user:password

My servers has 64Gb RAM and it almost free:

free -mg
total used free shared buffers cached
Mem: 62 2 60 0 0 0
-/+ buffers/cache: 1 61
Swap: 0 0 0

However, the search process eats all memory and killed by OOM.

Could someone explain to me why the search process needs so many memory for one simple query with the data for ONE(!) day?

Labels (1)
Labels
Reply

pcieniek
Loves-to-Learn Lots
‎01-25-2023 05:42 AM

You can add SWAP memory to prevent OOM for huge search/exports.

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-27-2019 07:01 AM

How much data is in that one day?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

anton_kiryushki
Explorer
‎12-27-2019 07:51 AM

@richgalloway You surprised me by this question. I only can check the day after and it is 4510739 strings. So, I would assume the amount of data on the problem day is the same.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-27-2019 08:26 AM

4.5 million events should fit in 64GB, but it also depends on the sizes of the events. Perhaps you could try exporting 12 hours at a time into separate files and then concatenate the files.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

anton_kiryushki
Explorer
‎12-27-2019 08:45 AM

I'm sorry, but it is unsuitable. Why Splunk is collect data into memory instead of flush data to disk directly? I don't need something externally hard, just grab data.
What if I need to export data for one year? Should I do exports by an hour or maybe by the minute? It is not a problem, I can write a script, but it is an inappropriate solution.
This is a strong bug in my opinion.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-28-2019 04:53 AM

I agree and understand it's not the best solution, but would you rather stand on principle or get the job done?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

anton_kiryushki
Explorer
‎12-28-2019 12:41 PM

You right. it is only way to manage the issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...