All Apps and Add-ons

What is the purpose of [admon] stanza in Windows Splunk UF default folder

dokaas_2
Path Finder

Our Windows admins are complaining about high CPU usage on our AD DCs and are pointing their finger at the Splunk UF. In the inputs.conf file i the default folder, there is a stanza: [admon] / interval=60 / baseline = 0. This is installed on about 10K workstations/servers. There are no other inputs.conf files with settings to monitor AD.

Does this cause the workstations to query AD even if no other inputs are defined?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The admon input monitors Active Directory and so only needs to be enabled on an AD server.  It should be disabled on workstations and non-AD servers.

See https://www.splunk.com/en_us/blog/tips-and-tricks/working-with-active-directory-on-splunk-universal-... (old, but still relevant), https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Active-Directory-ADMON/m-p/77874 , and https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory

---
If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!