Splunk Enterprise

How many CPUs are recommended in a windows server running the splunk universal forwarders agent?

sbatino
Observer

Hi,

it seems the "splunkd service" process has significant CPU consumption (eg 40%; 31% and so on). These virtual machines have 2 cores.
how many CPUs are recommended in a windows server running the splunk universal forwarders agent?

Labels (1)
0 Karma

sbatino
Observer

ok, thanks !

0 Karma

PickleRick
Ultra Champion

Yep, I can fully confirm @richgalloway 's response. If you have UF ingesting just system logs on a workstation you won't even notice it's there. But if you're querying several dozen hosts over WMI or ingesting exchange logs from twenty file shares... well, that's another story.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The Splunk Universal Forwarder usually uses ~2% of resources, but that can vary depending on the workload.  What is your UF doing that it needs so much CPU?  How many files is it monitoring?  How much data is being transferred?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

sbatino
Observer

Sorry to reply you late, I was busy. Another team manages these affected VMs
but I can say that they have deleted a lot of old log files on the Apache folder. , and now the CPU is between 2% -3%. . Good .!

Does Splunk ingest all files ..?

0 Karma

PickleRick
Ultra Champion

Of course not. What do you mean by "all files"? Your windows directory? 😉

But seriously, by default the only logs that the UF ingests are its own log files. They go to _internal index so they don't count against your license anyway.

You need to explicitly add other inputs to pull data from them.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

It ingest only what you have told to Ingest + some internal files. If you have added e.g. some directories and those contains hundreds / thousands of files it needs to check it there have a new events coming even those are already rotated by original app/some house keeping software.  Based on OS and filesystems that can be easy and light (e.g. with inotify) or hard and use lot of resources (keep filehandle open or even regularly close&open&seek). For that reason you should remove already indexed files regularly away from those directories to avoid unnecessary resource usage.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...