Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How many CPUs are recommended in a windows server running the splunk universal forwarders agent?

sbatino
Observer
‎04-08-2022 03:13 AM

Hi,

it seems the "splunkd service" process has significant CPU consumption (eg 40%; 31% and so on). These virtual machines have 2 cores.
how many CPUs are recommended in a windows server running the splunk universal forwarders agent?

Labels (1)
Labels
0 Karma
Reply

sbatino
Observer
‎05-03-2022 03:50 AM

ok, thanks !

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-08-2022 10:58 AM

Yep, I can fully confirm @richgalloway 's response. If you have UF ingesting just system logs on a workstation you won't even notice it's there. But if you're querying several dozen hosts over WMI or ingesting exchange logs from twenty file shares... well, that's another story.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-08-2022 07:57 AM

The Splunk Universal Forwarder usually uses ~2% of resources, but that can vary depending on the workload.  What is your UF doing that it needs so much CPU?  How many files is it monitoring?  How much data is being transferred?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sbatino
Observer
‎05-03-2022 03:23 AM

Sorry to reply you late, I was busy. Another team manages these affected VMs
but I can say that they have deleted a lot of old log files on the Apache folder. , and now the CPU is between 2% -3%. . Good .!

Does Splunk ingest all files ..?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-03-2022 03:46 AM

Of course not. What do you mean by "all files"? Your windows directory? 😉

But seriously, by default the only logs that the UF ingests are its own log files. They go to _internal index so they don't count against your license anyway.

You need to explicitly add other inputs to pull data from them.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-03-2022 07:04 AM

It ingest only what you have told to Ingest + some internal files. If you have added e.g. some directories and those contains hundreds / thousands of files it needs to check it there have a new events coming even those are already rotated by original app/some house keeping software.  Based on OS and filesystems that can be easy and light (e.g. with inotify) or hard and use lot of resources (keep filehandle open or even regularly close&open&seek). For that reason you should remove already indexed files regularly away from those directories to avoid unnecessary resource usage.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...