Hi,
I had a customer complaining that the Universal Forwarder on their server was running very hot. I checked, and lo and behold, it was running at 100% (Splunk 6.1.1). I checked the splunkd.log, and it had some errors:
Line breaking regex has no capturing groups: ^\d{2}:\d{2}:\d{2}\.\d{3}
Now, I thought the UF didn't actually break the feed into events. If so, why would this error cause the cpu spike in such a manner? I adjusted the line to be:
LINE_BREAKER = ([\r\n]+)[0-2][0-9]:[0-5][0-9]:[0-5][0-9]\.\d{2,5}\s
And, the spike went way.
↧