While logging Windows 4688 events I noticed that the Splunkd process is actually responsible for generating over 90% of the events. I am currently dropping the events generated by the Splunkd process at a heavy forwarder, but I'd like to stop Splunkd from generating them in the first place since they take up disk space on my end points.
I believe the Splunkd process keeps launching child processes that check the Windows event logs and terminate. This would mean that the Splunk UF is spending most of its time monitoring itself. I would like to know if there is a way to reduce the number of child processes generated by Splunkd so that my endpoints generate fewer 4688 (Process Created) events.
↧