Hi guys,
I've just installed the Universal Forwarder on my NAS server(Windows Server 2008 R2) and I have configured it to read files from a directory.
The directory it is reading from contains 209,000 800byte files dating from November 2013 to now. I told the forwarder to give me the last 6 months.
I noticed that during forwarding, the Universal Forwarder was using 2,072,XXX kilobytes. I assumed that this was just because it was forwarding files containing over 2.5million events.
Once forwarding was complete and my indexer had the complete set of data from this forwarder, I expected the RAM utilization to drop, but it hasn't.
Splunk seems to be stuck at just under 2GB, I've restarted it many times and no luck, it just climbs straight back up to 2GB and stays there.
If I disable the app that looks into the directory that has this large amount of files, the forwarder only uses 50Mb.
The question is: how can I keep this RAM utilization down? I need that directory monitored.
Couple of things to note:
The inputs.conf is using crcSalt= and initCrcLength=1000 - I think this may be relevant but the forwarding will not work without it.
... View more