Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunkd process getting killed in indexer frequently with oom error

shivanandbm
Explorer
‎05-09-2019 11:24 PM

We are running cluster envioronment and splunkd is getting killed so frequently in all the indexers with oom error.can you please suggest how i can rectify this..

Fyi splunk running in linux machine.below are my configuaration.

         total       used       free     shared    buffers     cached

Mem: 11 10 0 0 0 9
-/+ buffers/cache: 0 10
Swap: 3 0 3

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-09-2019 11:32 PM

Unfortunately, you genuinely require memory increase
Please find minimum spec details for indexers https://docs.splunk.com/Documentation/Splunk/7.2.6/Capacity/Referencehardware
It all depends on how much data you ingesting, How many TA's you have etc.

A mid range spec is and I guess you may need it.

Intel 64-bit chip architecture
24 CPU cores at 2GHz or greater speed per core
64GB RAM
Disk subsystem capable of a minimum of 800 average IOPS
A 1Gb Ethernet NIC, with optional second NIC for a management network
A 64-bit Linux or Windows distribution

If you want do a short term quick fix, the plan is
1. reduce as much searches/concurrent searches as possible. Do disable as many searches within your application
2. Remove all apps with savedsearches.conf and see if it works and then introduce each app/TA/SA one by one.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-09-2019 11:32 PM

Unfortunately, you genuinely require memory increase
Please find minimum spec details for indexers https://docs.splunk.com/Documentation/Splunk/7.2.6/Capacity/Referencehardware
It all depends on how much data you ingesting, How many TA's you have etc.

A mid range spec is and I guess you may need it.

Intel 64-bit chip architecture
24 CPU cores at 2GHz or greater speed per core
64GB RAM
Disk subsystem capable of a minimum of 800 average IOPS
A 1Gb Ethernet NIC, with optional second NIC for a management network
A 64-bit Linux or Windows distribution

If you want do a short term quick fix, the plan is
1. reduce as much searches/concurrent searches as possible. Do disable as many searches within your application
2. Remove all apps with savedsearches.conf and see if it works and then introduce each app/TA/SA one by one.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...