Forums: SplunkAdministration: Delopying as agent causing 100% CPU usage

Hi all,
I'm deploying splunk 4 as a lightweight forwarder on our production servers. I've set it up to monitor WMI about every 10 seconds as well as our application logs. If I move the logs away, I get 100% usage for about half a second, then very little. If there are a large amount of logs in the monitored when I start slunk the first time, the indexing and forwarding of the data uses all my app server's CPU. Is there a way I can limit the CPU usage of the splunkd service on windows server 2003?

Thanks,
Todd

You can try setting:

[thruput]
maxKBps = 128

or even lower in limits.conf. default on a lightforwarder is 256KBps. If you're using deployment server, after the initial data has been indexed, you can push back out or remove that limits.conf setting.

You can also try to use followTail = true (for files) and current_only = true (for WinEventLogs) to have it only index logs from the current time, but i have heard there might are bugs right now where these two settings aren't working.

Hi all. I resolved my previous problems by limiting the thruput to 128. Since I've upgrade to the 4.0.6, I'm back to getting 80-100% CPU utilization on my splunk forwarder instance. I've tried lightweight forwarding, but that doesn't work as it stops forwarding my WMI data. I've also tried to set the followTail as well as current only, but this doesn't seem to help. Any other ideas what I could do to reduce the CPU usage?