×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
aldo
New Member
Member since: Thursday
Thursday
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-28-2025
View All

UBA caspida-realtimeruleexec Service Crash with Ou...

by in Splunk Enterprise Security
Thursday
Thursday
Hi Splunk Community, I'm currently running a 7-node UBA deployment and encountering persistent errors with the `caspida-realtimeruleexec` service. The service fails to respond in the UBA Health Monitor UI, and upon checking the logs at: /var/vcap/sys/log/caspida/ruleengine/realtimeruleexecutor.log : I see the following error: java.lang.OutOfMemoryError: Java heap space When inspecting the JVM options in the `/opt/caspida/bin/CaspidaCommonEnv.sh` file, I found that the heap size was set as: -Xmx4M This seems too low for a rule executor component. My node has around 64 GB of RAM and ~34 GB free memory available (`free -m` confirms this). I am planning to increase the heap size to `-Xmx8192m`. ### My Questions: 1. Is this the correct cause of the crash? 2. Is it safe and recommended to increase the heap size to 8 GB or more for `caspida-realtimeruleexec` in a 7-node cluster? 3. Are there any best practices or official docs on tuning JVM heap for this component? 4. Should I also consider increasing other services' heap sizes? Thanks in advance for your help! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
Thursday