- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: My search keeps getting killed by 'Signal 9'
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why does search keep getting killed by 'Signal 9'?
For a certain search I keep getting the following error:
Search process did not exit cleanly, exit_code=0, description="killed by signal 9: Killed". Please look in search.log for this peer in the Job Inspector for more info.
Now the search.log doesn't show much useful information except that the job is indeed killed. Searching a bit on the error learned me that 'Signal 9' means that the job is killed 'externally', probably due to memory issues.
Strange thing is that this is only happening for this specific query, by far not the heaviest or most complex one running and that I never had any memory issues before. Also, the query works like a charm when the timespan is several days, but setting the timespan on 1 month or more gives me this error.
Anyone?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you get the answer, Please let me know, I have a same concern.😐
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply. The search doesn't contain memory intensive stuff like transactions. It is only used to calculate some variables imported in another search that does a simple regression on all volumes:
source='source1' OR source='source2' earliest=@d-31d latest=@d
| fields _time 'volume-id' name 'storage_used_percent'
| eval name=if(source=="source1", 'volume-id', name)
| stats count as count, sum(storage_used_percent) as Y sum(_time) as X, sum(eval(_time*storage_used_percent)) as XY, sum(eval(_time_time)) as X2 latest(_time) as T1 earliest(_time) as T0 by name*
While the environment is quite big (>6000 volumes), even larger searches over a longer timespan work just fine. Also, after testing a bit, if I set the timerange to up to 26 days -> now, it works. A period longer than 26 days -> now, gives the signal 9 error..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the search? If it includes a transaction command, then you may very well be running out of memory.
Infographic provides the TL;DR for the 2023 Splunk Career Impact Report
Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...
Enterprise Security Content Update (ESCU) | New Releases
