Greetings,
Where can I disable the default Bucket Copy Trigger search to prevent jar files from returning in Splunk? Also, which splunk instance does this search need to be disabled? Please see below:
"Jar files matching the same filename of the files found in the directories above, but found in other directories on your Splunk instances are likely from normal Splunk operation (e.g. search head bundle replication) and can be safely deleted. If any jar files return in the splunk_archiver app, disabling the default Bucket Copy Trigger search in that app will stop this behavior from happening. "
My Splunk architecture (airgapped) includes the following:
1 Search Head
1 Heavy Forward
1 Deployment Server
1 Cluster Master/License Master (operating as the same instance)
7 Indexers (all clustered)
Within my distributed environment, just want to know where to disable this search to prevent this from happening again.
Thank you.
-KB
The search will definitely run on the search head so disable it there.
You can see the search in the audit index and additionally in the remote_ searches log on the indexers.
I don't believe the cluster master or indexers trigger this but it is safe to disable it. It related to hadoop data roll functionality
Hi gjanders,
Thank you for your reply and the information you provided. How do I disable this functionality/search in the Search Head? Specifically, is there a conf.file to disable or is there another way to disable the search?
Thank you.
-KB
@KayBeesKnees83 - please let me know how did you finally disabled the "Bucket trigger" in savedsearch.
Which savedsearch.conf file was used .
I am suffering from the issue and looking for the correct way to disable this setting .
I upgraded to Splunk v8.2.4 and deleted all the files as listed in the "Log4j report" from Splunk. However, if the aforementioned do not resolve your issue. You can disable the app completely. Search for the app "Bucket Copy" and just disable the app.
I hope this helps.
-KB
Is there app named "Bucket copy" or "splunk_archiver".
It is the "splunk_archiver" -- the Bucket Copy Trigger search is located within that app.
Isn't the bucket copy functionality necessary in Splunk?
No, it is not a necessary functionality in Splunk.
So [Bucket Copy Trigger] actually calls archivebuckets, which calls copybuckets. The archiving was leading me to question if the functionality is necessary because buckets do get moved from hot, warm, cold, archive.
In any splunk install (head or indexer) I just need to do the following:
1. copy $SPLUNK_HOME/etc/apps/splunk_archiver/default/savedsearches.conf to $SPLUNK_HOME/etc/aps/splunk_archiver/local/savedsearches.conf
2. Update local/savedsearches.conf so under [Bucket Copy Trigger]
change enableSched = 1 to enableSched = 0
Anything else?
Looks good. I would also restart splunkd for good measure.
It ends up that in the local/savedsearches.conf you have to also add disabled=1 also
Thank you. I have found the app on search head and disabled it.
I don't have access to a Linux Splunk instance to test right now, but it should either be a "archive buckets" or "archive buckets trigger" saved search.
You can disable it via the Settings -> saved searches, or by creating a savedsearches.conf with the stanza and setting disabled=1
Or you could disable the entire app, I would disable the app personally...
With that said the | archivebuckets command might still work with the savedsearch disabled, it should fail once the app is disabled...