I understand. But IMHO, it's not pretty obvious since i'm skipping unneeded files older then 5 minutes (ignoreOlderThan=5m), so i'm telling Splunk Forwarder to DO NOT ANALYZE files with timestamp older than 5m... but, obviously, to take the timestamp, i think it needs to "read" from OS and use a file.descriptor call, but really can't understand why so much ram to skip older files 🙄 Unfortunately i can't manage logs, since there is an Application Team who does that. And, as said before, there is already a whitelist to take only two types of files (but it really does not need, since all path is full of needed small files, divided in two prefix (ex. "Job.NODE1.<sessioname>.txt" and "Logging.NODE1.<sessionname>.txt", and they are +100.000 per day in small, very small size... but they have developed the Application this way 🤕 when a single file could be very usefull)... i think it's unuseful also installing more instances of forwarders, since forwarder1+forwarder2 ram consumption, will be something like a single forwarder instance 🙄 At the end of the story, anyway, Forwarder does its job, System RAM is 16GB, Applications work..... so... who cares? 😀
... View more