I have splunk installad as a lightforwarder on a windows 2k8 machine. This search
source=WMI:localprocesses Name!=Total | rex field=Name "(?<Name>[^#]+)#\d+$" | eval CPULoad = PercentProcessorTime | search host="kebab01" | stats avg(CPULoad) by Name
Shows that splunkds "avg(CPULoad)" is around 95%, that feels quite much, is it normal? Im running the latest version of splunk on the windows machine.
Does this server by any chance have two processors? I am seeing the exact same behavior only affecting 2008 servers. If they have a single processor the Splunkd service has it locked at 100%, 2 processors 50%, 4 processors 25% etc.
I am using Splunk 4.2.1 build 98164 of the splunk forwarder.
Have you compared what Splunk is saying versus what the host server is saying (task manager)? Also, how long has Splunk been running on the host? I have noticed on some of my 2008 servers the initial sending of data can spike the system. Since it is a lightforwarder it shouldn't be doing any data transformations or analyse so it should not spike the CPU.
I would remote to the server and see what service or application is using the CPU or if the system is running at 95%.