Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to limit memory usage for a search?

human96
Communicator
‎02-17-2022 03:26 AM

Could you please tell me about the following? If I want to limit memory usage for a search, is it correct to think that I should set the following?

=====
[search] enable_memory_tracker=true search_process_memory_usage_threshold=10000 search_process_memory_usage_percentage_threshold=60

=====

※ If either value of "10000 (MB)" or "60 (%)" is reached, the operation is forcibly terminated.

Is it correct to understand that the above setting is for all searches including ad hoc searches?

If I want to enable the settings for all app searches, is it safe to add them to limits.conf below? $SPLUNK_HOME/etc/system/local/limits.conf

※Set to $SPLUNK _ HOME/etc/apps/App name/local/limits.conf to search for individual apps.

Am I correct in thinking that the above limits.conf settings should be set for both SearchHead and Indexer?

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tshah-splunk
Splunk Employee
Splunk Employee
‎02-17-2022 09:23 PM

Hey @human96,

Yes, it is correct to understand that these settings will be applied to all the searches. as @somesoni2 mentioned.  And yes as the doc suggests, your search will be terminated if the threshold for memory occupied in percentage or the bytes is reached. However, it is suggestible to be careful while placing these limits in $SPLUNK_HOME/etc/system/local. If you want all your searches (current + future) to fall in the threshold, then limits.conf in $SPLUNK_HOME/etc/system/local can be updated. These settings will need to be updated on search head only.

---
If you find the answer helpful, an upvote/karma is appreciated

View solution in original post

Reply
Solved! Jump to solution
Solution

tshah-splunk
Splunk Employee
Splunk Employee
‎02-17-2022 09:23 PM

Hey @human96,

Yes, it is correct to understand that these settings will be applied to all the searches. as @somesoni2 mentioned.  And yes as the doc suggests, your search will be terminated if the threshold for memory occupied in percentage or the bytes is reached. However, it is suggestible to be careful while placing these limits in $SPLUNK_HOME/etc/system/local. If you want all your searches (current + future) to fall in the threshold, then limits.conf in $SPLUNK_HOME/etc/system/local can be updated. These settings will need to be updated on search head only.

---
If you find the answer helpful, an upvote/karma is appreciated
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-17-2022 07:28 AM

All the information you need is here: https://docs.splunk.com/Documentation/Splunk/latest/Search/Limitsearchprocessmemoryusage

This is a system level configuration, so once set, it applies to all users accessing that Splunk instance (and it applies to both scheduled and ad-hoc searches). Setting it up on Search Head should be sufficient.

Reply
Solved! Jump to solution

human96
Communicator
‎02-17-2022 08:10 PM

Hi @somesoni2  thanks for your response.

I already reviewed these threads given below and still unclear with my posted question.

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Limitsconf

https://docs.splunk.com/Documentation/Splunk/8.1.2/Search/Limitsearchprocessmemoryusage

Could you please answer the question in details.

Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...