Monitoring Splunk

Splunk lightforwarder (splunkd) on windows 2k8 cpu consumation 100%

Path Finder

I have splunk installad as a lightforwarder on a windows 2k8 machine. This search

source=WMI:localprocesses Name!=Total 
| rex field=Name "(?<Name>[^#]+)#\d+$" 
| eval CPULoad = PercentProcessorTime 
| search host="kebab01" 
| stats avg(CPULoad) by Name

Shows that splunkds "avg(CPULoad)" is around 95%, that feels quite much, is it normal? Im running the latest version of splunk on the windows machine.

Tags (1)
0 Karma

Explorer

Does this server by any chance have two processors? I am seeing the exact same behavior only affecting 2008 servers. If they have a single processor the Splunkd service has it locked at 100%, 2 processors 50%, 4 processors 25% etc.

I am using Splunk 4.2.1 build 98164 of the splunk forwarder.

0 Karma

Path Finder

According to the task manager it takes up around 51 % cpu constantly (and around 128 mb ram). Not around 95% thats splunk show, but still it seems way to much

0 Karma

SplunkTrust
SplunkTrust

Have you compared what Splunk is saying versus what the host server is saying (task manager)? Also, how long has Splunk been running on the host? I have noticed on some of my 2008 servers the initial sending of data can spike the system. Since it is a lightforwarder it shouldn't be doing any data transformations or analyse so it should not spike the CPU.

I would remote to the server and see what service or application is using the CPU or if the system is running at 95%.

0 Karma