I added an app recently to pull in PowerShell Transcription logs that are output to C:\Logs\YYYYMMDD\YYYYMMDDHHSS.randomstring.log
So I created the following app:
> [monitor://C:\Logs\\*\\*.txt]> followTail=false > disabled = false > sourcetype = ps_transcript >index = powershell
On some systems, PS is being run constantly from certain program/script updates. (10k in 24 hours on one server in particular). This creates a lot of small files that Splunk universal forwarder (UF) picks up. However, Splunk UF's CPU and memory usage has been going crazy with this. It isn't the size of the events, but I believe more of the number of files it has to monitor. Is this accurate? Is there a way to return the CPU usage to normal while still consuming the PS logs?
↧