Splunk Enterprise Security

Splunk 6.2.3 consuming all the memory after installing Splunk app for Enterprise Security 3.3.0

Afef
Communicator

Hello,
I installed Splunk Enterprise 6.2.2 a month ago and it was running safely. Splunk had no issues. I installed the Splunk App for Enterprise Security 3.3.0 and update Splunk Enterprise to 6.2.3 version two days ago. Yesterday Splunk had no problems. Today, Splunk consumed the entire memory (32 GB) and all the machine went down. I restarted the Windows server and Splunk worked for 5 minutes, but consumed 100% of the memory again and the server went down. I verified the logs and I didn't find errors. I disabled all the scheduled searches and correlation searches, but this did not resolve the problem. Splunk goes down every 5 minutes and Windows also because Splunkd consumes the entire memory.
Any help please ?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

ES on Windows is no fun at all.

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

Windows in not fun at all 🙂

0 Karma

benjamin009
Explorer

Make sure the box is not indexing locally. Also make sure you are in a distributed environment. Make sure the ES server is only running a search head and KV store.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Unfortunately, most users here will not be able to help you, and the ones that can, would need detailed information about your environment. When it comes to ES, my recommendation is to contact Splunk Support with a P1 ticket. This will get you the fastest resolution for your problem.

Afef
Communicator

Thank you for your answer. I sent a P1 ticket to support but they didn't help me, they transformed the P1 to P2...

I deleted the whole configuration of Splunk and i redeployed it. it is not the best solution, i know, but i had no other solution.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...