Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Logging thousend files via Splunk Forwarder causes high CPU load

tfechner
Path Finder
‎08-10-2018 06:59 AM

Hi there,

we have a oracle logging directory with thousend .aud files for logging to Splunk.
Each day over 700 new files will be created.
We experience a heavy workload on the system caused by the splunkd process.

We think splunkd monitores ALL files and after some weeks a hugh bunch of filemonitoring threads are occuping the CPU.

How can we tell splunk not to monitor already indexed files and only have a look on new created. The closed file will never be changed anymore.

Our inputs.conf:

[monitor:///oracle/Q*/trace/audit/*.aud]
sourcetype=oracle:audit:text
whitelist = \w.+.aud
ignoreOlderThan=7d
index=oracle_sap
disabled = false
0 Karma
Reply

ddrillic
Ultra Champion
‎08-11-2018 03:55 PM

What's the forwarder version? - Universal Forwarder Using High CPU?

0 Karma
Reply

tfechner
Path Finder
‎08-13-2018 12:39 AM

we use the newst one 7.1.2.X

0 Karma
Reply

amiftah
Communicator
‎08-10-2018 07:43 AM

I think you have to create your own script to delete/move/rename the indexed files.

0 Karma
Reply

sudosplunk
Motivator
‎08-10-2018 07:28 AM

Hi,

How are your new files named? Any thing to differentiate new and old.

0 Karma
Reply

tfechner
Path Finder
‎08-10-2018 08:01 AM

fielname_structure:
AppID_OracleID_timestamp.aud
with:
appid= P56
OracleID: 53457673
time: 2018073134756825434785

0 Karma
Reply

sudosplunk
Motivator
‎08-10-2018 08:18 AM

The naming doesn't seem to be helpful. Since new files are created every day, decrease ignoreOlderThan to 2 or 3 days. This can reduce load.

0 Karma
Reply

tfechner
Path Finder
‎08-10-2018 08:00 AM

fielname_structure:
AppID_OracleID_timestamp.aud
with:
appid= P56
OracleID: 53457673
time: 2018073134756825434785

0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...