I've just installed Splunk Universal Forwarder 4.2.1 on a Linux server. I've pointed it at the whole of /var/log, which amounts to 3220 files, 24 directories and 467MiB of data.
Both CPU and memory usage of the forwarder seems to be way too high. One splunkd process seems to almost continuously use 100% of one CPU, and this same process is using 525MiB(!) of memory.
I don't see anything pertinent in the splunkd logs. strace of the splunkd process shows it calling futex() and epoll_wait() a lot and not much else...
John.
... View more