We have a heavy forwarder which occasionally runs amok where splunkd.exe consumes all memory (12GB) on the server and sometimes (but not always) all the CPU. We suspect that it receives some events from the universal forwarders that our props and transforms struggle with, but we can't identify what the heavy forwarder is parsing.
Is there a way to tell :
1. What events are currently being processed?
2. Where they come from?
3. Which props/transforms stanzas are executing against them?
↧