I know this information is useful when trouble shooting....
But if I am sure the TA-nmon is working well ,could I turn it off ? or just drop this information ?
Because nmon2csv script runs every minutes, and if I want to monitor 100+ hosts.... It will costs me a lot of splunk license for such log I don't need. ( And I also believe it will impact the index performance.. )
The last version of the TA-nmon with the release 1.3.25 implements by default a "silent" option for the processing logs.
This option reduces the volume of data to be generated by removing all the per section line information.
Does it answers to your need ? Could you confirm ?
Right, well those information are indeed useful to observe and trouble shoot any potential issue with the processing implemented in the TA.
Those information are also extracted and exploited in some administrative views I do provide like the the TCO dashboard or the Add-on reporting dashboard.
So, I ran into some analysis, as far as I can see this (the nmon_processing sourcetype) relies on 5 to 10% of the global volume of data to be generated by the Nmon app.
There are many Nmon app deployments at 1K servers and even much more, at scale this becomes indeed not that negligible.
Note that you cannot assume that this is "bad" for your indexing performance, this is indexing and this what Splunk is done for, if you have trouble indexing then you have trouble with your infrastructure, deployment and / or design.
The more "clever" approach is I think an update from me, which would if not reduce at least provide an options people could use to lower the verbosity of the Nmon processing
Other solution at the Splunk level, redirect those events to null Queue, I have tested and validated the following configuration:
# nmon_processing null redirection, apply the following transform
# Redirect to null Queue the nmon_processing events
Those configuration would have to be applied to all "full Splunk instances" which includes indexers, search heads and heavy forwarder. (this is not mandatory required for Universal Forwarder as it produces uncooked data)
So you would for instance includes those custom configuration with the TA-nmon and the PA-nmon_light, or anywhere you like.
This obliviously result in completely ignore and prevent from indexing the nmon_processing data. (On the network side the data is still generated and forwarded, but not indexed)
The first option will be implemented in next release of the TA-nmon.