Getting Data In

HeavyForwarder 100% use on 1 cpu and 0% on others CPUs

fabiocaldas
Contributor

I create a toplogy with one Splunk Indexer using a Master Enterprise License, and 2 HeavyForwarders using Slave License. On those HF I´m apllying SEDCMD and TRANSFORMATION before send data to Indexer.

My Both Forwarders are showing a strange behavior when I look at top command:

They use one core 100% and leave all others core 0% usage. (I took screen but I don't have karma to send the links)

My Indexer looks like fine using all cores avaliables.

What I'm missing? Why my HF only use one core?

0 Karma
1 Solution

fabiocaldas
Contributor

Splunk support helped me to understand that is expected behavior:

"This is expected, there is a single splunkd process managing the parsing/indexing therefore it runs on a single cpu."

The point here is, if I want to use all CPUs, I must install one Splunk Instance for each CPU core, configure it using separeted web, managment and input TCP ports.

I tried and it's works fine. I used a wiki article Run_multiple_Splunks_on_one_machine as guideline.

View solution in original post

fabiocaldas
Contributor

Splunk support helped me to understand that is expected behavior:

"This is expected, there is a single splunkd process managing the parsing/indexing therefore it runs on a single cpu."

The point here is, if I want to use all CPUs, I must install one Splunk Instance for each CPU core, configure it using separeted web, managment and input TCP ports.

I tried and it's works fine. I used a wiki article Run_multiple_Splunks_on_one_machine as guideline.

fabiocaldas
Contributor

Thanks Kristian !!

0 Karma

kristian_kolb
Ultra Champion

click on the little check-mark to the left to the answer you like mark as answered.

0 Karma

fabiocaldas
Contributor

R.Turk, how can I mark the questions as answered?

0 Karma

fabiocaldas
Contributor

rturk
Builder

Hi Fabio, can you mark the question as answered and perhaps post a link to the wiki article that assisted you so that anyone else with a similar issues can use it? Cheers 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...