You might want to detect when memory utilization is nearing capacity when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
Excessive memory utilization on a host, particularly abnormal or prolonged, is a sign of potential issues with the critical applications running on the host. You want to detect when an application is starved for memory resources, so you can prevent performance degradations or application instability.
To optimize the search shown below, you should specify an index and a time range.
- In Splunk Enterprise or Splunk Cloud Platform, verify that you deployed the Splunk Add-on for Microsoft Windows add-on to your search heads, indexer, and Splunk Universal Forwarders on the monitored systems. For more information, see About installing Splunk add-ons.
- Run the following search:
| mstats avg(Memory.Committed_Bytes) as Memory.Committed_Bytes avg(Memory.Available_Bytes) AS Memory.Available_Bytes WHERE index="<name of Windows metrics index>" AND host="<name of host to check>" span=1m BY host | eval total_memory=('Memory.Committed_Bytes'+'Memory.Available_Bytes') | eval percent_used=('Memory.Committed_Bytes'/'total_memory'*100) | timechart avg(percent_used) AS "% Memory Used" BY host
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|| mstats avg(Memory.Committed_Bytes) as Memory.Committed_Bytes avg(Memory.Available_Bytes) AS Memory.Available_Bytes WHERE index="<name of Windows metrics index>" AND host="< name of host to check >" span=1m BY host||Search metrics index(es) where perfmon memory utilization data is being collected and filter down to the desired hosts to check.|
|| eval total_memory=('Memory.Committed_Bytes'+'Memory.Available_Bytes')||Calculate total memory.|
|| eval percent_used=('Memory.Committed_Bytes'/'total_memory'*100)||Calculate the percent of memory used.|
|| timechart avg(percent_used) AS "% Memory Used" BY host||Plot the percent of memory used for each host over time.|
Create an alert based on this search so you can proactively manage potential stability issues. To alert when an expected Windows process is not running, you can configure one of the following two recommendations:
- Use the SPL from this procedure to configure a Core Splunk alert.
- Configure the Average Memory Usage vital metric for the Windows entity type in IT Essentials Work to alert when the memory utilization percentage is at or near 100.
- Ensure that you have the Splunk OTEL Collector installed on the host you want to monitor.
- In Splunk Infrastructure Monitoring, use the following SignalFlow to search the memory.utilization streaming metric and filter down to the desired hosts and processes.
A = data('memory.utilization', filter=filter('host.name', '<name of host to check>'),rollup='latest').publish(label='A')
To alert when memory utilization is nearing max capacity for the selected hosts, use the SignalFlow from this procedure to configure a detector with an alert condition of "Static Threshold" and alert settings of:
- Alert when: Above
- Threshold: 95
- Trigger sensitivity: Duration
- Duration: 5m