Our Windows admins are complaining about high CPU usage on our AD DCs and are pointing their finger at the Splunk UF. In the inputs.conf file i the default folder, there is a stanza: [admon] / interval=60 / baseline = 0. This is installed on about 10K workstations/servers. There are no other inputs.conf files with settings to monitor AD.
Does this cause the workstations to query AD even if no other inputs are defined?
The admon input monitors Active Directory and so only needs to be enabled on an AD server. It should be disabled on workstations and non-AD servers.
See https://www.splunk.com/en_us/blog/tips-and-tricks/working-with-active-directory-on-splunk-universal-... (old, but still relevant), https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Active-Directory-ADMON/m-p/77874 , and https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory