- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- HeavyForwarder 100% use on 1 cpu and 0% on others ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I create a toplogy with one Splunk Indexer using a Master Enterprise License, and 2 HeavyForwarders using Slave License. On those HF I´m apllying SEDCMD and TRANSFORMATION before send data to Indexer.
My Both Forwarders are showing a strange behavior when I look at top command:
They use one core 100% and leave all others core 0% usage. (I took screen but I don't have karma to send the links)
My Indexer looks like fine using all cores avaliables.
What I'm missing? Why my HF only use one core?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk support helped me to understand that is expected behavior:
"This is expected, there is a single splunkd process managing the parsing/indexing therefore it runs on a single cpu."
The point here is, if I want to use all CPUs, I must install one Splunk Instance for each CPU core, configure it using separeted web, managment and input TCP ports.
I tried and it's works fine. I used a wiki article Run_multiple_Splunks_on_one_machine as guideline.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk support helped me to understand that is expected behavior:
"This is expected, there is a single splunkd process managing the parsing/indexing therefore it runs on a single cpu."
The point here is, if I want to use all CPUs, I must install one Splunk Instance for each CPU core, configure it using separeted web, managment and input TCP ports.
I tried and it's works fine. I used a wiki article Run_multiple_Splunks_on_one_machine as guideline.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Kristian !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
click on the little check-mark to the left to the answer you like mark as answered.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R.Turk, how can I mark the questions as answered?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The link that I told is: http://wiki.splunk.com/Community:Run_multiple_Splunks_on_one_machine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Fabio, can you mark the question as answered and perhaps post a link to the wiki article that assisted you so that anyone else with a similar issues can use it? Cheers 🙂
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
