Splunk Search

Error:std::bad_alloc Whenever I try to visualize a search

Stabbles
Engager

Splunk newbie here,
I've installed Splunk onto a small ubuntu VM (512MB RAM and 20GB disk space) This should be OK because my data is very small.
I'm able to run the search sourcetype=accounts_made and it returns the results for all time very quickly. However if I try and pipe the results to a timechart; sourcetype=accounts_made | timechart max(accounts) I receive the error std::bad_alloc The search job has failed due to an error. You may be able view the job in the Job Inspector. Even if I try and plot the results for the past 15 minutes it gives up immediately.

Any advice would be appreciated!

Edit: Running the search in Verbose mode seems to work, however I can't make any dashboard panels because they always show the error above.

1 Solution

lukasz92
Communicator

This is just Out of memory error, sorry.
Read this page http://docs.splunk.com/Documentation/Splunk/6.2.1/Installation/Systemrequirements - you just have to have 1GB RAM.

View solution in original post

vivek_manoj
Explorer

Its because you are running it in fast mode . Change it to verbose mode will resolve you problem.

0 Karma

lukasz92
Communicator

This is just Out of memory error, sorry.
Read this page http://docs.splunk.com/Documentation/Splunk/6.2.1/Installation/Systemrequirements - you just have to have 1GB RAM.

zaphod1984
Path Finder

hi, that's the same conclusion i also came to. (had splunk running on a VM with 512Mb)

0 Karma

zaphod1984
Path Finder

any clues on this?
I'm running into the same issue...

0 Karma

markthompson
Builder

@Stabbles - Can you view it in the job inspector and share a screenshot please

0 Karma

Stabbles
Engager

Here you go Mark,
alt text

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...