Splunk Enterprise Security
Highlighted

Splunk 6.2.3 consuming all the memory after installing Splunk app for Enterprise Security 3.3.0

Communicator

Hello,
I installed Splunk Enterprise 6.2.2 a month ago and it was running safely. Splunk had no issues. I installed the Splunk App for Enterprise Security 3.3.0 and update Splunk Enterprise to 6.2.3 version two days ago. Yesterday Splunk had no problems. Today, Splunk consumed the entire memory (32 GB) and all the machine went down. I restarted the Windows server and Splunk worked for 5 minutes, but consumed 100% of the memory again and the server went down. I verified the logs and I didn't find errors. I disabled all the scheduled searches and correlation searches, but this did not resolve the problem. Splunk goes down every 5 minutes and Windows also because Splunkd consumes the entire memory.
Any help please ?

0 Karma
Highlighted

Re: Splunk 6.2.3 consuming all the memory after installing Splunk app for Enterprise Security 3.3.0

SplunkTrust
SplunkTrust

Unfortunately, most users here will not be able to help you, and the ones that can, would need detailed information about your environment. When it comes to ES, my recommendation is to contact Splunk Support with a P1 ticket. This will get you the fastest resolution for your problem.

Highlighted

Re: Splunk 6.2.3 consuming all the memory after installing Splunk app for Enterprise Security 3.3.0

Communicator

Thank you for your answer. I sent a P1 ticket to support but they didn't help me, they transformed the P1 to P2...

I deleted the whole configuration of Splunk and i redeployed it. it is not the best solution, i know, but i had no other solution.

0 Karma
Highlighted

Re: Splunk 6.2.3 consuming all the memory after installing Splunk app for Enterprise Security 3.3.0

Explorer

Make sure the box is not indexing locally. Also make sure you are in a distributed environment. Make sure the ES server is only running a search head and KV store.

0 Karma
Highlighted

Re: Splunk 6.2.3 consuming all the memory after installing Splunk app for Enterprise Security 3.3.0

SplunkTrust
SplunkTrust

ES on Windows is no fun at all.

0 Karma
Highlighted

Re: Splunk 6.2.3 consuming all the memory after installing Splunk app for Enterprise Security 3.3.0

Splunk Employee
Splunk Employee

Windows in not fun at all 🙂

0 Karma