All Apps and Add-ons

Splunk Add-on for Microsoft Windows 4.8.4 splunk-netmon.exe memory leak on host?


I'm running the Splunk_TA_windows app to collect host information from Windows Server 2012 R2 servers. If I start/restart the splunk forwarder service everything is fine however after a day or two the splunk-netmon.exe process seems to show signs of a memory leak. Over the course of a week or so the process will consume 80-90% of the host's memory. Has anyone else ran into this? I have this on multiple hosts running a mixed bag of different applications.

splunk forwarder version 6.6.6
splunk add on for microsoft windows version 4.8.4

inputs.conf for splunk_ta_windows:

###### Network monitoring ######
direction = inbound
disabled = 0
index = windows
packetType = accept;connect

direction = outbound
disabled = 0
index = windows
packetType = accept;connect```
0 Karma


I was never a fan of filtering options (on the uf) for this input type. recommend using sysinternals sysmon instead.

Here's your future search:

source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" "<EventID>3</EventID>" OR EventCode="3"
 | table _time host source EventID RuleName, UtcTime, ProcessGuid, ProcessId, Image, User, Protocol, Initiated, SourceIsIpv6, SourceIp, SourceHostname, SourcePort, SourcePortName, DestinationIsIpv6, DestinationIp, DestinationHostname, DestinationPort, DestinationPortName 
 | sort 0 - _time
0 Karma