Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

HeavyForwarder 100% use on 1 cpu and 0% on others CPUs

fabiocaldas
Contributor
‎08-27-2013 03:08 PM

I create a toplogy with one Splunk Indexer using a Master Enterprise License, and 2 HeavyForwarders using Slave License. On those HF I´m apllying SEDCMD and TRANSFORMATION before send data to Indexer.

My Both Forwarders are showing a strange behavior when I look at top command:

They use one core 100% and leave all others core 0% usage. (I took screen but I don't have karma to send the links)

My Indexer looks like fine using all cores avaliables.

What I'm missing? Why my HF only use one core?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fabiocaldas
Contributor
‎09-02-2013 09:57 PM

Splunk support helped me to understand that is expected behavior:

"This is expected, there is a single splunkd process managing the parsing/indexing therefore it runs on a single cpu."

The point here is, if I want to use all CPUs, I must install one Splunk Instance for each CPU core, configure it using separeted web, managment and input TCP ports.

I tried and it's works fine. I used a wiki article Run_multiple_Splunks_on_one_machine as guideline.

View solution in original post

Reply
Solved! Jump to solution
Solution

fabiocaldas
Contributor
‎09-02-2013 09:57 PM

Splunk support helped me to understand that is expected behavior:

"This is expected, there is a single splunkd process managing the parsing/indexing therefore it runs on a single cpu."

The point here is, if I want to use all CPUs, I must install one Splunk Instance for each CPU core, configure it using separeted web, managment and input TCP ports.

I tried and it's works fine. I used a wiki article Run_multiple_Splunks_on_one_machine as guideline.

Reply
Solved! Jump to solution

fabiocaldas
Contributor
‎09-10-2013 06:40 AM

Thanks Kristian !!

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎09-10-2013 06:35 AM

click on the little check-mark to the left to the answer you like mark as answered.

0 Karma
Reply
Solved! Jump to solution

fabiocaldas
Contributor
‎09-10-2013 05:38 AM

R.Turk, how can I mark the questions as answered?

0 Karma
Reply
Solved! Jump to solution

fabiocaldas
Contributor
‎09-10-2013 05:31 AM

The link that I told is: http://wiki.splunk.com/Community:Run_multiple_Splunks_on_one_machine

Reply
Solved! Jump to solution

rturk
Builder
‎09-10-2013 04:27 AM

Hi Fabio, can you mark the question as answered and perhaps post a link to the wiki article that assisted you so that anyone else with a similar issues can use it? Cheers 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...