Splunk: RAM for Breakfast?

Ok since I have started getting used to Splunk and finding how much easier it is than cat /var/log/mail.log | grep ‘user@domain’, I added the rest of my logging to it. This amounts to about 80M / day. Firstly, because I use SSHFS a lot, Splunk killed the CPU when it was indexing – the CPU was a K6-2 333. I overclocked it to 343, which ultimately did not help ;)

I think the CPU might have been “ok” bu t I swapped it for a K6-3 400 anyway, which I’ve had no problems with. The bigger problem was the fact that during indexing, Splunk ate my RAM. 384M. I woke up to a hard disk thrashing at 60 pages / sec. The box didn’t crash though, Linux did it’s due diligence and started purging processes ;)

Anyway I’ve now increased the memory to 586 (512 + 64), and Splunk is fine. No problems at all. Load seems to top out at about 3 which is nice. No swapping. I will mention that the same box is also running a MySQL server, LDAP and DNS Masq. Those services don’t eat CPU or much RAM because they are not normally used, but it is nice to be able to access them rather than to find they’ve been killed to make room for Splunk.

Conclusion: Splunk WILL run with less than the 1G “minimum” RAM that Splunk say in the system requirements documentation…but if you go below 512M, you’re gonna swap. And 1.4Ghz minimum CPU well…f3ar my K6-3 ;)

Written on August 3rd, 2008 , Informative

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

SirSpanky.com – The Secret Diary of James Pearce Aged 20-Something is proudly powered by WordPress and the Theme Adventure by Eric Schwarz
Entries (RSS) and Comments (RSS).

SirSpanky.com – The Secret Diary of James Pearce Aged 20-Something

Personal jorunal of a professional geek – James Pearce in Perth, Australia