<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: High memory/cpu usage by splunk universal forwarder in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/High-memory-cpu-usage-by-splunk-universal-forwarder/m-p/692913#M115181</link>
    <description>&lt;P&gt;Check your inputs.conf and ensure the stanzas are properly configured to monitor only the files that you want, specifically you can adjust the block and allow lists:&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[monitor:// whatever]
whitelist = ( REGEX )
blacklist = ( REGEX )&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;That aside, I strongly encourage you to follow Giuseppe's advice and contact your Splunk admin to open a case on your behalf.&lt;/P&gt;</description>
    <pubDate>Wed, 10 Jul 2024 17:57:38 GMT</pubDate>
    <dc:creator>JohnEGones</dc:creator>
    <dc:date>2024-07-10T17:57:38Z</dc:date>
    <item>
      <title>High memory/cpu usage by splunk universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/High-memory-cpu-usage-by-splunk-universal-forwarder/m-p/683797#M114144</link>
      <description>&lt;P&gt;I've installed Splunk Universal Forwarder 9.1.0 on a Linux server and configured batch mode for data log file monitoring. There are different types of logs which we monitoring with different filenames. We observed too much CPU/Memory consumption by splunkd process when the input log files to be monitored are more ( &amp;gt; 1000K approx). All the input data logs files are new and total no. of events range would be 10 to 300.&lt;/P&gt;&lt;P&gt;Few metirc logs:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;{"level":"INFO","name":"splunk","msg":"group=tailingprocessor, ingest_pipe=1, name=batchreader1, current_queue_size=0, max_queue_size=0, files_queued=0, new_files_queued=0","service_id":"infra/service/ok6qk4zudodbld4wcj2ha4x3fckpyfz2","time":"04-08-2024 20:33:20.890 +0000"}
{"level":"INFO","name":"splunk","msg":"group=tailingprocessor, ingest_pipe=1, name=tailreader1, current_queue_size=1388185, max_queue_size=1409382, files_queued=18388, new_files_queued=0, fd_cache_size=63","service_id":"infra/service/ok6qk4zudodbld4wcj2ha4x3fckpyfz2","time":"04-08-2024 20:33:20.890 +0000"}&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Please help me if there is any configuration tuning to limit the number of files to be monitored.&lt;/P&gt;</description>
      <pubDate>Wed, 10 Apr 2024 08:24:30 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/High-memory-cpu-usage-by-splunk-universal-forwarder/m-p/683797#M114144</guid>
      <dc:creator>NReddy12</dc:creator>
      <dc:date>2024-04-10T08:24:30Z</dc:date>
    </item>
    <item>
      <title>Re: High memory/cpu usage by splunk universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/High-memory-cpu-usage-by-splunk-universal-forwarder/m-p/683802#M114148</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266814"&gt;@NReddy12&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;I never experienced this behavior on a Linux server.&lt;/P&gt;&lt;P&gt;The only hint is to open a case to Splunk Support, sending them a diag of your Universal Forwarder.&lt;/P&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Wed, 10 Apr 2024 09:10:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/High-memory-cpu-usage-by-splunk-universal-forwarder/m-p/683802#M114148</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2024-04-10T09:10:53Z</dc:date>
    </item>
    <item>
      <title>Re: High memory/cpu usage by splunk universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/High-memory-cpu-usage-by-splunk-universal-forwarder/m-p/692911#M115180</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352"&gt;@gcusello&lt;/a&gt;, I don't have access to open a case to Splunk support.&lt;/P&gt;&lt;P&gt;it would be much appreciated if someone could help how to limit the monitoring files and control the memory consumption.&lt;/P&gt;</description>
      <pubDate>Wed, 10 Jul 2024 16:56:35 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/High-memory-cpu-usage-by-splunk-universal-forwarder/m-p/692911#M115180</guid>
      <dc:creator>NReddy12</dc:creator>
      <dc:date>2024-07-10T16:56:35Z</dc:date>
    </item>
    <item>
      <title>Re: High memory/cpu usage by splunk universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/High-memory-cpu-usage-by-splunk-universal-forwarder/m-p/692913#M115181</link>
      <description>&lt;P&gt;Check your inputs.conf and ensure the stanzas are properly configured to monitor only the files that you want, specifically you can adjust the block and allow lists:&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[monitor:// whatever]
whitelist = ( REGEX )
blacklist = ( REGEX )&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;That aside, I strongly encourage you to follow Giuseppe's advice and contact your Splunk admin to open a case on your behalf.&lt;/P&gt;</description>
      <pubDate>Wed, 10 Jul 2024 17:57:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/High-memory-cpu-usage-by-splunk-universal-forwarder/m-p/692913#M115181</guid>
      <dc:creator>JohnEGones</dc:creator>
      <dc:date>2024-07-10T17:57:38Z</dc:date>
    </item>
    <item>
      <title>Re: High memory/cpu usage by splunk universal forwarder</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/High-memory-cpu-usage-by-splunk-universal-forwarder/m-p/692938#M115187</link>
      <description>&lt;P&gt;Wait, wait, wait. Do you mean that your UF has to keep track of over a million files? That can have a huge memory footprint. Also polling directories containing all those files can be intensive. And not much tuning can help here.&lt;/P&gt;&lt;P&gt;Side note - are you sure you need to use batch input? You're showing events from tailingprocessor which is used with monitor inputs.&lt;/P&gt;</description>
      <pubDate>Wed, 10 Jul 2024 21:05:54 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/High-memory-cpu-usage-by-splunk-universal-forwarder/m-p/692938#M115187</guid>
      <dc:creator>PickleRick</dc:creator>
      <dc:date>2024-07-10T21:05:54Z</dc:date>
    </item>
  </channel>
</rss>

