How To
Summary
This guide explains how to increase the Java heap size of Elasticsearch that is used by IBM SOAR for search.
Objective
Clients might find that due to increased usage of IBM SOAR or changes in the way the application is used the Java heap size of Elasticsearch needs to be increased.
One indication of a problem related to Elasticsearch is the error "Unable to perform the search operation. Please contact the Resilient administrator and report this issue." This error on its own does not indicate a memory issue but it can direct clients to investigate the log files.
In /var/log/elasticsearch/elasticsearch.log, a similar error may be found which indicates a heap space issue.
[201X-XX-XXTXX:XX:XX,XXX][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [] fatal error in thread [elasticsearch[U2s51DL][search][T#2]], exiting java.lang.OutOfMemoryError: Java heap space
The value to increase the Java heap size differs for client to client and depends on a number of factors such as the amount of data and usage patterns. With performance tuning exercises the value might need to change until the right value is obtained.
Steps
Stop IBM SOAR by running sudo systemctl stop resilient
Stop Elasticsearch by running sudo systemctl stop elasticsearch
Update /etc/elasticsearch/jvm.options with the new values. This update can be done by running sudo vi /etc/elasticsearch/jvm.options.
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms3g
-Xmx3g
The value "3g" is an example and might not be the right value for your instance.
Increase the memory available to the guest by 3GB to match the increase in heap assigned to Elasticsearch. If the guest has plenty of memory free, then this step is not required.
Start IBM SOAR and Elasticsearch by running sudo systemctl start resilient, which starts Elasticsearch.
Finally, check that the increase in the Java heap is applied.
Run sudo ps -aux | grep -i elastic
The output looks something like this:
elastic+ 5387 0.4 16.6 3361252 647664 ? SLsl 09:33 2:03 /usr/lib/jvm/ibm-jdk-8/bin/java -Xms3g -Xmx3g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75
Look for "-Xms3g -Xmx3g."
Alternatively, check /var/log/elasticsearch/elasticsearch.log for a line such as this.
[201X-XX-XXTXX:XX:XX,XXX][INFO ][o.e.e.NodeEnvironment ] [_WZyV_X] heap size [3gb], compressed ordinary object pointers [unknown]
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z0000001grPAAQ","label":"Resilient Core-\u003ESearch"}],"ARM Case Number":"TS003649382","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
01 December 2021
UID
ibm16203778