Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

HeavyForwarder 100% use on 1 cpu and 0% on others CPUs

fabiocaldas
Contributor
‎08-27-2013 03:08 PM

I create a toplogy with one Splunk Indexer using a Master Enterprise License, and 2 HeavyForwarders using Slave License. On those HF I´m apllying SEDCMD and TRANSFORMATION before send data to Indexer.

My Both Forwarders are showing a strange behavior when I look at top command:

They use one core 100% and leave all others core 0% usage. (I took screen but I don't have karma to send the links)

My Indexer looks like fine using all cores avaliables.

What I'm missing? Why my HF only use one core?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fabiocaldas
Contributor
‎09-02-2013 09:57 PM

Splunk support helped me to understand that is expected behavior:

"This is expected, there is a single splunkd process managing the parsing/indexing therefore it runs on a single cpu."

The point here is, if I want to use all CPUs, I must install one Splunk Instance for each CPU core, configure it using separeted web, managment and input TCP ports.

I tried and it's works fine. I used a wiki article Run_multiple_Splunks_on_one_machine as guideline.

View solution in original post

Reply
Solved! Jump to solution
Solution

fabiocaldas
Contributor
‎09-02-2013 09:57 PM

Splunk support helped me to understand that is expected behavior:

"This is expected, there is a single splunkd process managing the parsing/indexing therefore it runs on a single cpu."

The point here is, if I want to use all CPUs, I must install one Splunk Instance for each CPU core, configure it using separeted web, managment and input TCP ports.

I tried and it's works fine. I used a wiki article Run_multiple_Splunks_on_one_machine as guideline.

Reply
Solved! Jump to solution

fabiocaldas
Contributor
‎09-10-2013 06:40 AM

Thanks Kristian !!

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎09-10-2013 06:35 AM

click on the little check-mark to the left to the answer you like mark as answered.

0 Karma
Reply
Solved! Jump to solution

fabiocaldas
Contributor
‎09-10-2013 05:38 AM

R.Turk, how can I mark the questions as answered?

0 Karma
Reply
Solved! Jump to solution

fabiocaldas
Contributor
‎09-10-2013 05:31 AM

The link that I told is: http://wiki.splunk.com/Community:Run_multiple_Splunks_on_one_machine

Reply
Solved! Jump to solution

rturk
Builder
‎09-10-2013 04:27 AM

Hi Fabio, can you mark the question as answered and perhaps post a link to the wiki article that assisted you so that anyone else with a similar issues can use it? Cheers 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...