Deployment Architecture

What does archivebuckets do on a heavyforwarder?

Muryoutaisuu
Communicator

Hi all

We are running Splunk on a distributed environment. We have an Index Cluster (8 nodes). Also on each system in our company we have installed a heavyforwarder which connects to said index cluster.
Now, on one of our Splunk heavyforwarders I'm seeing the following two entries in the audit.log file:

07-04-2017 17:17:01.048 +0200 INFO  AuditLogger - Audit:[timestamp=07-04-2017 17:17:01.047, id=176549, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1499181420_516', search='| archivebuckets', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Tue Jul  4 17:17:00 2017', savedsearch_name="Bucket Copy Trigger"][dPfPMAzihUAvwu25DGs55Xf1CJsx05R0VRu89fmCPrNTLq5bZvkWXn2/r5yXWMMHCnOuN2+ck805owYpyl70Dhe/mJnUf5oJiZ6xHsxFCYUp2IEQsNbJhwWzSDI6mKT/zcvoZcG3TrR4YJYGyFunuCaC/PLFJxN7rHILOFLTC3E=]

07-04-2017 17:17:15.698 +0200 INFO  AuditLogger - Audit:[timestamp=07-04-2017 17:17:15.697, id=176567, user=splunk-system-user, action=search, info=completed, search_id='scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1499181420_516', total_run_time=0.96, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1499181421, api_et=N/A, api_lt=1499181420.000000000, search_et=N/A, search_lt=1499181420.000000000, is_realtime=0, savedsearch_name="Bucket Copy Trigger", search_startup_time="79", searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0][HY9tJiOsMSviYt8vKpwZtMaxWY1ng/Gf/DrLJQkwCoPtzFPZyRkJTu1hz21lGSSdiyEpJ8PojFl1PRjpHygGU/eEF/nwygcSWQ0Prjw+qM8QTqRjNOqTy/J6HKnoWGZEeR7SevX3D8msTga+/GZVUpzGOv/ptEIVXWVhGsldLkE=]

I'm wondering what the command | archivebucket does on a heavyforwarder. I'm aware in the second entry it sais that no events were found.

I'm asking because we seem to have some applicational performance issues after exactly those log entries and I wanted to be sure that they are absolutely unrelated. I believe, the command | archivebuckets does exactly nothing when 0 events were found?

What is the purpose of that command? It seems I can not find any documentation about it?

-Muryoutaisuu

0 Karma
1 Solution

kpawar_splunk
Splunk Employee
Splunk Employee

| archivebuckets command is used to archive splunk indexed data to hadoop or s3.
Here is a link about splunk archiving to hadoop or s3 : http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/ArchivingindexestoHadoop
| archivebuckets command is enabled by default and will run every hour. This command will perform archiving and use cpu only if archiving is setup. In your case, since you haven't setup archiving, command will detect that and will exit with 0 events. This command should be unrelated to application performance issue.

View solution in original post

0 Karma

kpawar_splunk
Splunk Employee
Splunk Employee

| archivebuckets command is used to archive splunk indexed data to hadoop or s3.
Here is a link about splunk archiving to hadoop or s3 : http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/ArchivingindexestoHadoop
| archivebuckets command is enabled by default and will run every hour. This command will perform archiving and use cpu only if archiving is setup. In your case, since you haven't setup archiving, command will detect that and will exit with 0 events. This command should be unrelated to application performance issue.

0 Karma

Muryoutaisuu
Communicator

Ok, thx for confirming!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...