Deployment Architecture

What does archivebuckets do on a heavyforwarder?

Muryoutaisuu
Communicator

Hi all

We are running Splunk on a distributed environment. We have an Index Cluster (8 nodes). Also on each system in our company we have installed a heavyforwarder which connects to said index cluster.
Now, on one of our Splunk heavyforwarders I'm seeing the following two entries in the audit.log file:

07-04-2017 17:17:01.048 +0200 INFO  AuditLogger - Audit:[timestamp=07-04-2017 17:17:01.047, id=176549, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1499181420_516', search='| archivebuckets', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Tue Jul  4 17:17:00 2017', savedsearch_name="Bucket Copy Trigger"][dPfPMAzihUAvwu25DGs55Xf1CJsx05R0VRu89fmCPrNTLq5bZvkWXn2/r5yXWMMHCnOuN2+ck805owYpyl70Dhe/mJnUf5oJiZ6xHsxFCYUp2IEQsNbJhwWzSDI6mKT/zcvoZcG3TrR4YJYGyFunuCaC/PLFJxN7rHILOFLTC3E=]

07-04-2017 17:17:15.698 +0200 INFO  AuditLogger - Audit:[timestamp=07-04-2017 17:17:15.697, id=176567, user=splunk-system-user, action=search, info=completed, search_id='scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1499181420_516', total_run_time=0.96, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1499181421, api_et=N/A, api_lt=1499181420.000000000, search_et=N/A, search_lt=1499181420.000000000, is_realtime=0, savedsearch_name="Bucket Copy Trigger", search_startup_time="79", searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0][HY9tJiOsMSviYt8vKpwZtMaxWY1ng/Gf/DrLJQkwCoPtzFPZyRkJTu1hz21lGSSdiyEpJ8PojFl1PRjpHygGU/eEF/nwygcSWQ0Prjw+qM8QTqRjNOqTy/J6HKnoWGZEeR7SevX3D8msTga+/GZVUpzGOv/ptEIVXWVhGsldLkE=]

I'm wondering what the command | archivebucket does on a heavyforwarder. I'm aware in the second entry it sais that no events were found.

I'm asking because we seem to have some applicational performance issues after exactly those log entries and I wanted to be sure that they are absolutely unrelated. I believe, the command | archivebuckets does exactly nothing when 0 events were found?

What is the purpose of that command? It seems I can not find any documentation about it?

-Muryoutaisuu

0 Karma
1 Solution

kpawar_splunk
Splunk Employee
Splunk Employee

| archivebuckets command is used to archive splunk indexed data to hadoop or s3.
Here is a link about splunk archiving to hadoop or s3 : http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/ArchivingindexestoHadoop
| archivebuckets command is enabled by default and will run every hour. This command will perform archiving and use cpu only if archiving is setup. In your case, since you haven't setup archiving, command will detect that and will exit with 0 events. This command should be unrelated to application performance issue.

View solution in original post

0 Karma

kpawar_splunk
Splunk Employee
Splunk Employee

| archivebuckets command is used to archive splunk indexed data to hadoop or s3.
Here is a link about splunk archiving to hadoop or s3 : http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/ArchivingindexestoHadoop
| archivebuckets command is enabled by default and will run every hour. This command will perform archiving and use cpu only if archiving is setup. In your case, since you haven't setup archiving, command will detect that and will exit with 0 events. This command should be unrelated to application performance issue.

0 Karma

Muryoutaisuu
Communicator

Ok, thx for confirming!

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...