Splunk reporting running out of memory on a VM ser...

bcarlson · ‎07-15-2013

Good Afternoon! I am trying to create a report that goes through a 15 Million record file and
creates a cost of roaming report based on my Users roaming on a different network. A User could have records on multiple other wireless networks. The report calculates cost based on partner's rates and data consumed by User. This report works perfect if I try and run the report on a smaller number of records. The search portion of the report is pulling stop records that have accessed Bobwireless.com. Is there a better more memory efficient way to find the same information?

thanks
Bob

Domain="Bobwireless.com" AcctType="2" | eval Roamer_Cost=case(Serving_Carrier=="JillWireless", Total_Megabytes*.055, Serving_Carrier=="Larry Wireless", Total_Megabytes*.10, Serving_Carrier=="Cowboy", Total_Megabytes*.25, Serving_Carrier=="Indains", Total_Megabytes*.40, Serving_Carrier=="KCChiefs", Total_Megabytes*.40, Serving_Carrier=="Raiders:, Total_Megabytes*.0, Serving_Carrier=="Panthers", Total_Megabytes*.40, Serving_Carrier=="Chargers", Total_Megabytes*.20, Serving_Carrier=="CellComm", Total_Megabytes*.20, Serving_Carrier=="Vikings", Total_Megabytes*.10, Serving_Carrier=="Bears", Total_Megabytes*.25, Serving_Carrier=="Cardinals", Total_Megabytes*.25, Serving_Carrier=="Jaguars",Total_Megabytes*.40, Serving_Carrier=="Oilers", Total_Megabytes*.35, Serving_Carrier=="Titans", Total_Megabytes*.25, Serving_Carrier=="Dolphins", Total_Megabytes*.35, Serving_Carrier=="Packers", Total_Megabytes*.25, Serving_Carrier=="Patriots", Total_Megabytes*.25, Serving_Carrier=="Bucaneers", Total_Megabytes*.40, Serving_Carrier=="Ravens", Total_Megabytes*.35) | table User, Serving_Carrier, Total_Megabytes, Roamer_Cost

alacercogitatus · ‎07-15-2013

You could try a lookup table.

roaming_weights.csv
Serving_Carrier,weight JillWireless,0.055 Larry Wireless,0.10

And then your search:

Domain="Bobwireless.com" AcctType="2" | lookup roaming_weights.csv Serving_Carrier | eval Roamer_Cost = weight * Total_Megabytes | table User Serving_Carrier Total_Megabytes Roamer_Cost

If you need more carriers, just add them to the CSV file.

bcarlson · ‎07-16-2013

I entered a system ticket to see what Splunk support says.
thanks
Bob

alacercogitatus · ‎07-16-2013

Intersting, I see that error on 2.6.32-358.el6.x86_64 #1 SMP Tue Jan 29 11:47:41 EST 2013 x86_64 x86_64 x86_64 GNU/Linux. The Kernel Builds are the same....

bcarlson · ‎07-16-2013

2.6.32-358.2.1.e16.x86_64 #1 SMP Wed Mar 12 00:26:49 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

bcarlson · ‎07-16-2013

I will see if I can find that? thanks

alacercogitatus · ‎07-16-2013

What OS? if linux what does uname -a report?

bcarlson · ‎07-16-2013

alacercogitatusitatus,

Got that problem solved. It was the $ sign in the CSV field for "Weight". Your search suggests seem to work much better because Splunk is not blowing up with memory errors, but it is still ending with "[SimpleResultsTable module] Splunkd daemon is not responding: ('The read operation timed out',) I wonder if anyone has an idea on that?

alacercogitatus · ‎07-16-2013

Could you paste the query just as you are running it?

bcarlson · ‎07-16-2013

alacercogitatus, Good Morning! Thanks for you help! I built the CSV table and everything seems to work accept the calculation weight*Total_Megabytes. When I look at the data in the fields, I see vaild weight values. Any ideas? thanks Bob

bmacias84 · ‎07-15-2013

Also before doing any eval or computational commands you should distille to your only the fields required by using the fields command. This will increase performance by only return necessary fields.

Domain="Bobwireless.com" AcctType="2"| fields User, Servicing_Carrier, Total_Megabytes | ...

Splunk reporting running out of memory on a VM server wtih 16Gig

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms