We are getting alert from our LInux team stating high swap space observed for splunkd process on the Heavy forwarder which also acts as a syslog server .
Below command is said to be consuming
Well there is 1 TB of space and only 9 % is used with respective to the storage space . Issue observed is that the CPU usage goes beyond 100% and memory space utilization is high .
Using swap is not abnormal. A process that needs a lot of memory to handle a lot of data will swap when it needs more memory.
When you say "HF which also acts as a syslog server" does that mean syslog events are received on port 514 of the HF? If so, that's sub-optimal. Use a real, dedicated syslog server (like rsyslog or syslog-ng) with a universal forwarder. Even better is the Splunk Connect for Syslog (SC4S) app, which is a Docker app that receives syslog and forwards it to HEC inputs.