jayzba, one way to do this would be with Windows scheduled tasks or Linux's cron.
In Windows, you'd write two .cmd batch files, one that stops the service and one that starts the service.
stopSplunk.cmd would contain:
sc stop UniversalForwarder
startSplunk.cmd would contain
sc start UniversalForwarder
Then you'd schedule startSplunk to run at the top of every hour and run stopSplunk five minutes after every hour, or whatever particular times you're okay with Splunk running. e.g. If it can't run during business hours you could use these to start Splunk once a day in the middle of night or such.
In Linux you could put the command directly into cron:
0 * * * * * * * /opt/splunkforwarder/bin/splunk start
5 * * * * * * * /opt/splunkforwarder/bin/splunk stop
sure, you can start and stop the universal forwarder for example by
cron. The UF will pick up reading files where it left. The amount of memory used by the UF is mainly driven by the amount of files monitored by the UF, for example directories with a large number of files in it like rotated logs. Try to set your UF only to monitor the most recent files you need and set it to ignore rotated files by using for example
ignoreOlderThan in inputs.conf or set the monitor stanza to the log file name you need.
hope this helps ...