Why is a standalone search head going down often?

mala_splunk_91 · ‎11-16-2017

Hi ,

In our Splunk environment, standalone search head is going down often.
Could anyone , what would be the reason on this?

When i check SH internal logs,at time just before down time . I could see the below errors

2017-11-16 15:45:59,954 INFO [5a0d7dff217f35xxxxxxxx] root:129 - ENGINE: Bus EXITED
2017-11-16 15:45:59,954 INFO [5a0d7dff217f35xxxxxxxx] root:129 - ENGINE: Bus STOPPED
2017-11-16 15:45:59,953 INFO [5a0d7dff217f35xxxxxxxx] root:129 - ENGINE: Stopped thread '_TimeoutMonitor'.
2017-11-16 15:45:59,887 INFO [5a0d7dff217f35xxxxxxxx] root:129 - ENGINE: HTTP Server cherrypy._cpwsgi_server.CPWSGIServer(('127.0.0.1', 8065)) shut down

Can someone help on this please?

Thanks
Mala

gcusello · ‎11-17-2017

Hi mala_splunk_91,
it's hard to debug a problem likethis!
what Linux are you using? see on internet if there are known issues on this Operative System.
Anyway, I suggest to open a case to Splunk Support because the only way is a webex to see you installation.
Bye.
Giuseppe

splunker545 · ‎07-17-2019

i know it's old thread ,i assume it helps ,
once check DMC on your search head , and go to "resource usage: instance"
check for Maximum Physical Memory Usage by Process Class& Maximum CPU Usage by Process Class
identify which process class consuming more resources , usually it is "search activity" in my case

Why is a standalone search head going down often?

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms