Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

High CPU usage on UF

mmoermans
Path Finder
‎02-01-2018 12:53 AM

We've been noticing a high CPU use on a windows splunk forwarder that only has a simple monitor statement.
The following monitor is used:

--inputs.conf
[monitor://\server\data$\LogDir*.log]
disabled = false
index = dataindex
sourcetype = datatype

With a few date.log files to monitor and the correct output to the indexers.

Does anyone know what the cause might be for the high CPU? The _internal logs show nothing of interest.

0 Karma
Reply

MousumiChowdhur
Contributor
‎03-12-2018 11:44 PM

Hi @mmoermans,

It's always recommended not to use wildcard in the monitor stanza if you really have less number of files to be monitored.

Also, verify the below points-
1. Number of files that are getting monitored by the command ./splunk list monitor.
2. Size of the log files.
3. Proper parsing of the log files.
4. Check if any older files are being monitored and if so you can ignore those.

I hope you would find something from checking the above listed points.

Thanks.

Reply

nickhills
Ultra Champion
‎02-01-2018 01:07 AM

If possible, always install the forwarder on the server with the files - mounting a remote share to pull data into a UF is inefficient.
Its not always possible ( I know) but UNC file shares add failure points, latency and network overhead you are better off avoiding if possible. - Probably not the direct cause of you issue, but worth considering.

What version of UF/Windows? and how big are they logs. Do they break nicely? - Have you looked at your queues on the UF?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...