Increased CPU usage in indexers after installing S...

leanderzz · ‎11-20-2015

Hi.

The Splunk for Unix/Linux add-on app includes a transforms.conf with a lot of regexps. After I installed this in my indexers, CPU usage for regexpreplacement has doubled. Are all these transformations/regexps applied to all incoming events? is that correct? I use a very small subset of this app, it sounds like a waste of resources to have all those regexps applied to all incoming events.

Thanks.

xcheng_splunk · ‎11-20-2015

Hi leanderzz,

transformations will apply to all incoming events. However, if you are only using a small subset of the app, you can only enable those data inputs from inputs.conf file. This way, transform.conf will only apply to the enabled data.
Just a reminder, only If the indexer is also a *nix host and you want to collect *nix data from it, should you enable the data and scripted inputs inside the Splunk_TA_nix add-on on the host. Otherwise, data collection should only happen on forwarders. Hope this helps.

Eric

Increased CPU usage in indexers after installing Splunk for Unix/Linux add-on app,CPU Usage increase after installing Splunk App for Unix and Linux add-on in Splunk indexers?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation