I installed Splunk Enterprise 6.2.2 a month ago and it was running safely. Splunk had no issues. I installed the Splunk App for Enterprise Security 3.3.0 and update Splunk Enterprise to 6.2.3 version two days ago. Yesterday Splunk had no problems. Today, Splunk consumed the entire memory (32 GB) and all the machine went down. I restarted the Windows server and Splunk worked for 5 minutes, but consumed 100% of the memory again and the server went down. I verified the logs and I didn't find errors. I disabled all the scheduled searches and correlation searches, but this did not resolve the problem. Splunk goes down every 5 minutes and Windows also because Splunkd consumes the entire memory.
Any help please ?
Unfortunately, most users here will not be able to help you, and the ones that can, would need detailed information about your environment. When it comes to ES, my recommendation is to contact Splunk Support with a P1 ticket. This will get you the fastest resolution for your problem.
Thank you for your answer. I sent a P1 ticket to support but they didn't help me, they transformed the P1 to P2...
I deleted the whole configuration of Splunk and i redeployed it. it is not the best solution, i know, but i had no other solution.
Make sure the box is not indexing locally. Also make sure you are in a distributed environment. Make sure the ES server is only running a search head and KV store.