Why am I seeing Splunk-Winevtlog.exe Initial High ...

ajdyer2000 · ‎11-18-2018

Hi,

Right after the initial install of the Splunk Windows Forwarder the Splunk-Winevtlog.exe process consistently runs at 25% utilization.

This will happen for 3 to 5 hours then will go down to zero and won't do it again.

Wondering if anyone else may have seen this and how to prevent this from happening.

The forwarders are being installed on Windows 10 devices.

Thanks for all the help I'm getting on this forum. 🙂

Alan

HiroshiSatoh · ‎11-18-2018

At the time of initial startup, I think that the load is taken to acquire all past event logs.

It will not happen unless we acquire the past.

inputs.conf

[WinEventLog://<name>]
current_only = 1

Restart splunk.

By setting current_only to 1 (enabled), you will get "only Windows event logs generated while Splunk is running".
By default, it is set to 0 (invalid).

Why am I seeing Splunk-Winevtlog.exe Initial High CPU Utilization on Installation of Windows Splunk Forwarder v 7.1.2?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation