Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Optimising CPU + RAM usage on Universal Forwarder

DavidHourani
Super Champion
‎08-23-2017 06:57 AM

Hello guys,

I've been looking around in the questions and most of them are about forwarders causing High CPU because of some bug or some misconfiguration. My questions is about optimising and tweaking a universal forwarder that is working well in order to reduce its CPU impact.

So anyone who has tips and tricks to share it will be very much welcome. Even if you have system level tips for linux/windows it's also welcome!

Best regards,
David

0 Karma
Reply

mdessus_splunk
Splunk Employee
Splunk Employee
‎09-01-2017 08:22 AM

I'm not sure there is a prefect answer for your question. By default, the fwd is designed to have a very limited impact on the system. You can limit the inputs to the ones that match your needs.
You might also look at windows system features.

Of course, you can monitor CPU usage in Splunk 🙂

0 Karma
Reply

mdessus_splunk
Splunk Employee
Splunk Employee
‎08-23-2017 01:58 PM

Hi David,

Do you have any specific issues ? On which system ? When collecting what kind of data ?
Can you give some details ?

0 Karma
Reply

DavidHourani
Super Champion
‎08-25-2017 02:44 AM

Hello Mathieu, hope you're well 🙂

I have FWDs running on windows DC and I want to set limits to make sure that they never go over 5% CPU even if that means slowing down log collection.
Any idea on how that could be done ?
Cheers,
David

0 Karma
Reply

robertlynch2020
Influencer
‎02-19-2019 06:44 AM

I have the same issues, do you find a solution

0 Karma
Reply

ddrillic
Ultra Champion
‎08-23-2017 07:29 AM

Good information at -

alt text

Search please for the forwarder parts...

0 Karma
Reply

DavidHourani
Super Champion
‎08-23-2017 08:04 AM

What do you mean ? did you post any link because I cant see anything 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...