topic Re: High CPU usage on UF in Getting Data In

High CPU usage on UF

mmoermans — Thu, 01 Feb 2018 08:53:43 GMT

We've been noticing a high CPU use on a windows splunk forwarder that only has a simple monitor statement.
The following monitor is used:

--inputs.conf
[monitor://\server\data$\LogDir*.log]
disabled = false
index = dataindex
sourcetype = datatype

With a few date.log files to monitor and the correct output to the indexers.

Does anyone know what the cause might be for the high CPU? The _internal logs show nothing of interest.

Re: High CPU usage on UF

nickhills — Thu, 01 Feb 2018 09:07:10 GMT

If possible, always install the forwarder on the server with the files - mounting a remote share to pull data into a UF is inefficient.
Its not always possible ( I know) but UNC file shares add failure points, latency and network overhead you are better off avoiding if possible. - Probably not the direct cause of you issue, but worth considering.

What version of UF/Windows? and how big are they logs. Do they break nicely? - Have you looked at your queues on the UF?

Re: High CPU usage on UF

MousumiChowdhur — Tue, 13 Mar 2018 06:44:09 GMT

Hi @mmoermans,

It's always recommended not to use wildcard in the monitor stanza if you really have less number of files to be monitored.

Also, verify the below points-
1. Number of files that are getting monitored by the command ./splunk list monitor.
2. Size of the log files.
3. Proper parsing of the log files.
4. Check if any older files are being monitored and if so you can ignore those.

I hope you would find something from checking the above listed points.

Thanks.