- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: search process memory usage
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please tell me about the following? If I want to limit memory usage for a search, is it correct to think that I should set the following?
=====
[search] enable_memory_tracker=true search_process_memory_usage_threshold=10000 search_process_memory_usage_percentage_threshold=60
=====
※ If either value of "10000 (MB)" or "60 (%)" is reached, the operation is forcibly terminated.
Is it correct to understand that the above setting is for all searches including ad hoc searches?
If I want to enable the settings for all app searches, is it safe to add them to limits.conf below? $SPLUNK_HOME/etc/system/local/limits.conf
※Set to $SPLUNK _ HOME/etc/apps/App name/local/limits.conf to search for individual apps.
Am I correct in thinking that the above limits.conf settings should be set for both SearchHead and Indexer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @human96,
Yes, it is correct to understand that these settings will be applied to all the searches. as @somesoni2 mentioned. And yes as the doc suggests, your search will be terminated if the threshold for memory occupied in percentage or the bytes is reached. However, it is suggestible to be careful while placing these limits in $SPLUNK_HOME/etc/system/local. If you want all your searches (current + future) to fall in the threshold, then limits.conf in $SPLUNK_HOME/etc/system/local can be updated. These settings will need to be updated on search head only.
If you find the answer helpful, an upvote/karma is appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @human96,
Yes, it is correct to understand that these settings will be applied to all the searches. as @somesoni2 mentioned. And yes as the doc suggests, your search will be terminated if the threshold for memory occupied in percentage or the bytes is reached. However, it is suggestible to be careful while placing these limits in $SPLUNK_HOME/etc/system/local. If you want all your searches (current + future) to fall in the threshold, then limits.conf in $SPLUNK_HOME/etc/system/local can be updated. These settings will need to be updated on search head only.
If you find the answer helpful, an upvote/karma is appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All the information you need is here: https://docs.splunk.com/Documentation/Splunk/latest/Search/Limitsearchprocessmemoryusage
This is a system level configuration, so once set, it applies to all users accessing that Splunk instance (and it applies to both scheduled and ad-hoc searches). Setting it up on Search Head should be sufficient.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @somesoni2 thanks for your response.
I already reviewed these threads given below and still unclear with my posted question.
https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Limitsconf
https://docs.splunk.com/Documentation/Splunk/8.1.2/Search/Limitsearchprocessmemoryusage
Could you please answer the question in details.
Thanks
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
