Getting Data In

Windows regmon process maxing CPU usage

MHibbin
Influencer

Hi guys,

I have started upgrading our Windows forwarders, and have seen issues with the regmon process (splunk-regmon.exe)maxing out the CPU usage on the hosting server. The only workaround I have at the moment is to disable the input script at the system level. This is not ideal as we monitor the changes in the registry.

This has had the same effect on Windows 2003, 2008 R2, and 2012.

Is this a known issues (I have checked the release notes, but couldn't see anything)? Is there a work-around that can enable us to use this feature without maxing out the CPU?

If it is a bug, where do I find the submission form? - it's been a long time since I've looked at the form.

Thanks,

MHibbin

0 Karma

Drainy
Champion

Bonjour!

Firstly, what are you upgrading from and to? It might also be worth checking the input before and after incase any migration steps have accidentally modified it so its causing regmon to have a bit of a wobbler.
Also I guess you've checked but also worth looking for any error or warning logs,

To submit a case (which I suspect you're going to need to) is at https://splunk--c.na2.visual.force.com/apex/CP_CaseSubmissionPage?caseID=NewCase (which you could find by going to the main Splunk site and hitting up Support 🙂 )

Another step to try would be on a search head to go to Manager -> System Settings and then to the System logging. If you put reg into the search box you will see a couple of related logging outputs. Might be worth editing the log.cfg on the forwarder to try and get more detail out of them;
http://docs.splunk.com/Documentation/Splunk/5.0.4/AdvancedDev/ModInputsLog

MHibbin
Influencer

Upgrading from 4.3.4 to 5.0.4, couldn't see anything in the logs other than the inputs starting up.

I'll try the logging.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!