Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

source::.../ in props.conf sourcetype stanza appears to be causing high overhead

Claw
Splunk Employee
Splunk Employee
‎05-03-2011 06:53 AM

I have a customer that set up the followin sourcetype spec in props.conf. on an AIX installation. /opt/usi is at the root level. This is Splunk version 4.2.1

[source::.../opt/usi/portal/prod/vap/logs/*txt]
sourcetype=vignette

It appears that the 2 of the CPUs went to 100% when this statement was added.

We changed it to the following so that the dir path match was exact and surprise, CPU utilization on the Splunk Index machine went to 2%.

[source::///opt/usi/portal/prod/vap/logs/*txt]
sourcetype=vignette

The trouble is, I don't know why.......

Any suggestions?

Reply

Claw
Splunk Employee
Splunk Employee
‎05-03-2011 12:08 PM

Thanks Gerald

Here is the inputs.conf, this is running on a version 4.2.1 universal forwarder

# Inputs.conf for Splunk USI 04/27/11  For Universal Forwarders only 
# Stored in /apps/splunk/splunkforwarder/etc/system/local
# 
# Use APP server section for App servers and DB Server section for the Database server
# comment or Uncomment appropriate sections
#
# Define Which index to send to
# index = usi-training
#
# Common section1
index = _internal
[monitor:///apps/splunk/splunkforwarder/var/log/splunk/splunkd.log]
_TCP_ROUTING = *

index = usi-training
[monitor:///var/log]
index = usi-training
recursive = false
# If false, Splunk will not monitor subdirectories found within a monitored directory.
# Defaults to true.
disabled = false
followTail = 1

# Common section2
[monitor:///var/log/messages]
index = usi-training
recursive = false
disabled = false
followTail = 1

# App server section1
[monitor:///opt/usi/portal/prod/vap/logs]
index = usi-training
recursive = false
disabled = false
followTail = 1

# App server section2
[monitor:///opt/usi/portal/prod/tomcat1/logs]
index = usi-training
recursive = false
disabled = false
followTail = 1

# App server section3
[monitor:///opt/usi/portal/prod/tomcat2/logs]
index = usi-training
recursive = false
disabled = false
followTail = 1

# App server section4
[monitor:///opt/usi/portal/prod/tomcat3/logs]
index = usi-training
recursive = false
disabled = false
followTail = 1

# DB server section
#
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-03-2011 11:57 AM

Can you also show us your inputs.conf, and if you have more than one?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...