We faced a similar issue, both with the old eStreamer perl Splunk app and the new eStreamer eNcore python one. Reported it about a year ago.
One CPU running the python script maxed at 100% with either app.
The log files that the app writes have up-to-date file names (the file names include the date), but the events inside the files gradually get more and more delayed until there is a gap in the logs.
Try this search to see if there are gaps in your logs (select visualization tab):
earliest=-1d sourcetype="cisco:estreamer:data"
| timechart count span=15m
Looked like a square wave for us... lots of events for a few hours, then a gap for about an hour of none.
I edited the python to make it multiprocess and was able to get rid of the issue, and get all my logs on time. More of a proof of concept than production code, though... I don't have the time to do the code changes properly, but I had to get it working because we don't have the bandwidth to use syslog (doubles bandwidth usage if you are also sending logs to FMC). I did provide the proof of concept code to Cisco in September 2017.
If you can, just use syslog until they get this working. Seems to be what most folks do.
... View more