Solved: Re: Why is an older Windows universal forwarder us...

yannK · ‎12-17-2014

I installed a Windows universal forwarder on version 5.* 2 years ago, and upgraded it to 6.1.* recently.
Comparing the old upgraded UF versus a fresh install, I noticed that the old one was using much more resources (cpu/memory) to collect the Windows logs (perfmon, wineventlogs ...)

It seems that the only difference is the version of the Splunk Add-on for Microsoft Windows that was installed by the MSI installer.
I am not using a deployment server. Does it mean that the upgrade of Splunk does not upgrade the Windows TA?

haliakbar_splun · ‎12-17-2014

That is correct, upgrade does not install the latest version of Splunk_TA_windows, only new installs do. I have seen cases like yours and upgrading Splunk_TA to the latest version has resolve issues with High CPU/Mem. To find out what version you are on go to the etc/apps/splunk_TA_Windows/default/app.conf and look at the build.

ex 4.6.3 = build 172675

4.7.1 = build 226229
latest 4.7.3 = build 237290

https://apps.splunk.com/app/742/

View solution in original post

haliakbar_splun · ‎12-17-2014

That is correct, upgrade does not install the latest version of Splunk_TA_windows, only new installs do. I have seen cases like yours and upgrading Splunk_TA to the latest version has resolve issues with High CPU/Mem. To find out what version you are on go to the etc/apps/splunk_TA_Windows/default/app.conf and look at the build.

ex 4.6.3 = build 172675

4.7.1 = build 226229
latest 4.7.3 = build 237290

https://apps.splunk.com/app/742/

yannK · ‎12-17-2014

Installing the latest windows TA solved the performance problem.

Why is an older Windows universal forwarder using more resources than a fresh install, even after an upgrade?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases