https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405810#M72010 <P>we use the newst one 7.1.2.X</P> Mon, 13 Aug 2018 07:39:52 GMT tfechner 2018-08-13T07:39:52Z https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405803#M72003 <P>Hi there,</P> <P>we have a oracle logging directory with thousend .aud files for logging to Splunk.<BR /> Each day over 700 new files will be created. <BR /> We experience a heavy workload on the system caused by the splunkd process.</P> <P>We think splunkd monitores ALL files and after some weeks a hugh bunch of filemonitoring threads are occuping the CPU.</P> <P>How can we tell splunk not to monitor already indexed files and only have a look on new created. The closed file will never be changed anymore.</P> <P>Our inputs.conf:</P> <PRE><CODE>[monitor:///oracle/Q*/trace/audit/*.aud] sourcetype=oracle:audit:text whitelist = \w.+.aud ignoreOlderThan=7d index=oracle_sap disabled = false </CODE></PRE> Fri, 10 Aug 2018 13:59:55 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405803#M72003 tfechner 2018-08-10T13:59:55Z https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405804#M72004 <P>Hi,</P> <P>How are your new files named? Any thing to differentiate new and old. </P> Fri, 10 Aug 2018 14:28:33 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405804#M72004 sudosplunk 2018-08-10T14:28:33Z https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405805#M72005 <P>I think you have to create your own script to delete/move/rename the indexed files.</P> Fri, 10 Aug 2018 14:43:48 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405805#M72005 amiftah 2018-08-10T14:43:48Z https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405806#M72006 <P>fielname_structure:<BR /> AppID_OracleID_timestamp.aud<BR /> with:<BR /> appid= P56<BR /> OracleID: 53457673 <BR /> time: 2018073134756825434785</P> Tue, 29 Sep 2020 20:53:40 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405806#M72006 tfechner 2020-09-29T20:53:40Z https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405807#M72007 <P>fielname_structure:<BR /> AppID_OracleID_timestamp.aud<BR /> with:<BR /> appid= P56<BR /> OracleID: 53457673 <BR /> time: 2018073134756825434785</P> Tue, 29 Sep 2020 20:53:43 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405807#M72007 tfechner 2020-09-29T20:53:43Z https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405808#M72008 <P>The naming doesn't seem to be helpful. Since new files are created every day, decrease <CODE>ignoreOlderThan</CODE> to 2 or 3 days. This can reduce load.</P> Fri, 10 Aug 2018 15:18:54 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405808#M72008 sudosplunk 2018-08-10T15:18:54Z https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405809#M72009 <P>What's the forwarder version? - <A href="https://answers.splunk.com/answers/435993/universal-forwarder-using-high-cpu.html">Universal Forwarder Using High CPU?</A></P> Sat, 11 Aug 2018 22:55:01 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405809#M72009 ddrillic 2018-08-11T22:55:01Z https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405810#M72010 <P>we use the newst one 7.1.2.X</P> Mon, 13 Aug 2018 07:39:52 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-thousend-files-via-Splunk-Forwarder-causes-high-CPU-load/m-p/405810#M72010 tfechner 2018-08-13T07:39:52Z