Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does search use up large amount of memory?

eng3
New Member
‎10-06-2022 05:23 PM

I'm trying to export raw linux audit logs to a file.  For example:

 

 

 

splunk.exe "sourcetype=linux:audit _time>xxxx _time<xxxxx" -output rawdata -maxout 0 > outputfile.txt

 

 

 

I'm trying to output a weeks worth but I'm not sure how many event records there are.  I tried setting maxout to 500000 and monitoring using task manager, I will see splunk grow to use 20GB of memory at its peak. I tried setting maxout to 1000000 and it used up all of my free memory.

That actual rawdata output is only a few hundred MB, why is it using up so much memory.

More importantly, is there a workaround or fix so it doesnt use up so much memory?  I could output in smaller time increments (daily for example) but I don't know if there might be a single day that happened to generate alot of events.  I suppose I could go down to hourly.  

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

johnhuang
Motivator
‎10-06-2022 07:27 PM

I don't understand "searchtype=linux:audit", is it a typo for sourcetype? Try specifying the index in your search.

 

splunk.exe "searchtype=linux:audit _time>xxxx _time<xxxxx" -output rawdata -maxout 0 > outputfile.txt

 

0 Karma
Reply

eng3
New Member
‎10-06-2022 07:43 PM

oops, sorry, that was a typo

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...