Solved: Re: How to calculate the memory Splunk consumes wh...

pramit46 · ‎07-02-2014

guys,

How can I find out how much memory does a Splunk Query consume?

rsennett_splunk · ‎07-03-2014

A quick and dirty way to do this, would be to steal the "Top Memory Consuming Searches" from the SOS app.
(This is a handy app that you should have installed anyway. http://apps.splunk.com/app/748/ Everyone should use Splunk on Splunk (SOS)

Under the Resource Usage Menu, choose "CPU/Memory". The last panel on the bottom of the dashboard is the one you want.

Hover your mouse over the lower left hand corner of the panel and you'll see a tiny magnifying glass... click it.
It will open the search in a new window.
This search has a lot of stuff in there that you don't need if you are pinpointing one particular search... but rather than pulling it apart... you can insert the SID from the search in question.

Run it in another tab, click "Job Inspector" and get the SID (it's right at the top). Find the following line in the search:

| search sid=* sid!="subsearch*" search!=typeahead* search!="|history*"]

Be careful, because this is the end of an append

Right after | search sid=*

insert your SID so it looks like this:

| search sid=* sid="YOURSIDHERE" sid!="subsearch*" search!=typeahead* search!="|history*"]

That will create a lovely report showing you just the stats for that one particular search.

Again... rather than breaking it... I just added the "Search FOR this thing" with all the "Search for NOT this stuff"

Of course... next thing to do is pick it apart and learn what it's doing. 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rsennett_splunk · ‎07-03-2014

A quick and dirty way to do this, would be to steal the "Top Memory Consuming Searches" from the SOS app.
(This is a handy app that you should have installed anyway. http://apps.splunk.com/app/748/ Everyone should use Splunk on Splunk (SOS)

Under the Resource Usage Menu, choose "CPU/Memory". The last panel on the bottom of the dashboard is the one you want.

Hover your mouse over the lower left hand corner of the panel and you'll see a tiny magnifying glass... click it.
It will open the search in a new window.
This search has a lot of stuff in there that you don't need if you are pinpointing one particular search... but rather than pulling it apart... you can insert the SID from the search in question.

Run it in another tab, click "Job Inspector" and get the SID (it's right at the top). Find the following line in the search:

| search sid=* sid!="subsearch*" search!=typeahead* search!="|history*"]

Be careful, because this is the end of an append

Right after | search sid=*

insert your SID so it looks like this:

| search sid=* sid="YOURSIDHERE" sid!="subsearch*" search!=typeahead* search!="|history*"]

That will create a lovely report showing you just the stats for that one particular search.

Again... rather than breaking it... I just added the "Search FOR this thing" with all the "Search for NOT this stuff"

Of course... next thing to do is pick it apart and learn what it's doing. 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

rsennett_splunk · ‎07-04-2014

Oh! I didn't see that! 🙂

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

pramit46 · ‎07-04-2014

@rsennett_splunk, I also found that in the job inspector page it shows the memory space the query had consumed.

How to calculate the memory Splunk consumes while running a query?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk