Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How many CPUs are recommended in a windows server running the splunk universal forwarders agent?

sbatino
Observer
‎04-08-2022 03:13 AM

Hi,

it seems the "splunkd service" process has significant CPU consumption (eg 40%; 31% and so on). These virtual machines have 2 cores.
how many CPUs are recommended in a windows server running the splunk universal forwarders agent?

Labels (1)
Labels
0 Karma
Reply

sbatino
Observer
‎05-03-2022 03:50 AM

ok, thanks !

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-08-2022 10:58 AM

Yep, I can fully confirm @richgalloway 's response. If you have UF ingesting just system logs on a workstation you won't even notice it's there. But if you're querying several dozen hosts over WMI or ingesting exchange logs from twenty file shares... well, that's another story.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-08-2022 07:57 AM

The Splunk Universal Forwarder usually uses ~2% of resources, but that can vary depending on the workload.  What is your UF doing that it needs so much CPU?  How many files is it monitoring?  How much data is being transferred?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sbatino
Observer
‎05-03-2022 03:23 AM

Sorry to reply you late, I was busy. Another team manages these affected VMs
but I can say that they have deleted a lot of old log files on the Apache folder. , and now the CPU is between 2% -3%. . Good .!

Does Splunk ingest all files ..?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-03-2022 03:46 AM

Of course not. What do you mean by "all files"? Your windows directory? 😉

But seriously, by default the only logs that the UF ingests are its own log files. They go to _internal index so they don't count against your license anyway.

You need to explicitly add other inputs to pull data from them.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-03-2022 07:04 AM

It ingest only what you have told to Ingest + some internal files. If you have added e.g. some directories and those contains hundreds / thousands of files it needs to check it there have a new events coming even those are already rotated by original app/some house keeping software.  Based on OS and filesystems that can be easy and light (e.g. with inotify) or hard and use lot of resources (keep filehandle open or even regularly close&open&seek). For that reason you should remove already indexed files regularly away from those directories to avoid unnecessary resource usage.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...