Getting Data In

Daily Indexing Blown away by Universal Forwarder and Performance Monitoring

rhoska
Engager

Has anyone else seen that installing a Universal Forwarder turned on remote performance monitoring for the receiving Splunk 4.2.2 build 101277 instance monitoring localhost?

I’ve been using a free version of Splunk over the past few months and have had to reinstall numerous times due to exceeding the license due to my exuberance in adding data inputs. My latest instance has been up and running quite nicely for 3 weeks now with an average indexing volume well below 100 MG a day.

On Wednesday of this week I installed a Universal Forwarder on an AD machine and set up the default performance monitoring (huge mistake but totally my fault) and that night I received a daily volume limit exceeded message.

Splunk made it fairly easy to figure out where all the data was coming from, the 3 years of historical logs plus the performance monitoring reports gobbled up my indexing allocation. After struggling with the documentation looking for a configuration switch to turn off the performance monitoring and not getting anywhere I uninstalled the Universal Forwarder and then deleted all the logs that had been sent to Splunk expecting to reinstall the Universal Forwarder again today.

Much to my surprise when I logged into my Splunk server this morning to be greeted by another daily volume limit exceeded message. Splunk to the rescue, I immediately noticed that the machine I was running my Splunk server on jumped from the bottom of the list of hosts based on events to the top.

I had not set up performance monitoring on the machine hosting my Splunk instance. But since installing the Universal Forwarder on another machine on Wednesday, Splunk has been capturing Remote Performance information from localhost. Needless to say I’ve disabled it now but it cost me 2 of my 3 index volume limits for the next 30 days.

0 Karma

rhoska
Engager

I just found another post with the same issue here for version 4.1.7

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...