Getting Data In

Inputs.conf Settings for IAS Logs Takes 100% CPU

brian_meyer
Explorer

I've been pulling my hair out on this one for weeks and I'm finally to the point where I need a sanity check.

I'm just trying to pull logs from my IAS servers. One is 2008 R2 and the other 2012 R2. Both log to the default C:\windows\system32\logfiles\ folder.

I created a very basic app on my DS that would collect these files. Everything worked great until I noticed that both computers were always at 100% CPU utilization. Discovered it was due to the new app. Disable the app and restart the forwarder and CPU went back to normal.

I've changed just about every config on the app I can think of to try to discover what the issue is but no matter what I do the CPU spikes again. Even if I disable the app and but the monitor section in the system\local\inputs.conf file the CPU spikes.

My inputs.conf file is as basic as possible:
[monitor://C:\Windows\System32\LogFiles\*.log]
sourcetype=ias

Anyone have any ideas they can throw my way?

0 Karma
1 Solution

brian_meyer
Explorer

I think I may have fixed the issue by switching to the following inputs.conf config:

[monitor://C:\Windows\System32\LogFiles\]
whitelist=\.log$
sourcetype=ias

View solution in original post

0 Karma

brian_meyer
Explorer

I think I may have fixed the issue by switching to the following inputs.conf config:

[monitor://C:\Windows\System32\LogFiles\]
whitelist=\.log$
sourcetype=ias

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...