Receiving errors after upgrading to 8.2.4, like "S...

SamHTexas · ‎02-07-2022

I get the following after upgrading to Splunk 8.2.4 on Splunk Ent. + ES. I have a large environment with clustered SHs & Indexers. Thank u for your reply in advance.

"Sum of 3 Highest per-cpu iowaits reached red Threshold of 15" on ES

"Maximum per-cpu iowait reached yellow Threshold of 5" on Search heads

What do they mean & How do I fix the issues please.

Stefanie · ‎02-10-2022

We get the same error on our environment too. I've reached out to Splunk Support a few times to get clarification on this.

Is your environment virtualized by chance? Basically this error means you are lacking on your resources.

CPU iowait means that the CPU was idle during which the system had pending disk I/O requests. Basically the CPU is like "Hey! I have stuff I could be processing but I'm stuck waiting for x, y, and z to complete!"

How to resolve? An upgrade to your storage devices for faster throughput or if you're virtualized, possibly dedicating your virtual resources to Splunk servers.

Depending on how heavy your users are to Splunk - It's relatively harmless. But you may need to look at increasing resources in the future.

Refer to https://docs.splunk.com/Documentation/Splunk/8.2.4/Capacity/Referencehardware for more information on what you should be utilizing for your Splunk servers.

Receiving errors after upgrading to 8.2.4, like "Sum of 3 Highest per-cpu iowaits reached red Threshold of 15"

upgrade

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies