I may be barking up the wrong tree with the basic question, so please feel free to correct me.
I have a Windows Print server with 2 vCPU that is frequently hitting 100% CPU Usage. The admin for that server is blaming the Splunk Agent, but I'm not seeing evidence of this (see my other recent thread about using SAM to monitor the agent itself). I'm not sure how I can find what is eating the CPU, and I don't want to run a full application discovery against it and apply templates that are meaningless.
One thing I'm curious about (that may or may not be related) is in the "Application Connections" widget. In it, the node is listed as having two "Unknown App(s)" communicating with two of our Domain Controllers. Specifically, traffic is shown to be hitting lsass.exe and svchost.exe on the domain controller nodes. But.. I have no idea how to determine what is generating those. There's no listing of ports or processes that may be initiating this communication.
Is there any way (short of getting on the box and running network traces) to see what is communicating on those ports?
