We are running Splunk on a distributed environment. We have an Index Cluster (8 nodes). Also on each system in our company we have installed a heavyforwarder which connects to said index cluster.
Now, on one of our Splunk heavyforwarders I'm seeing the following two entries in the audit.log file:
07-04-2017 17:17:01.048 +0200 INFO AuditLogger - Audit:[timestamp=07-04-2017 17:17:01.047, id=176549, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1499181420_516', search='| archivebuckets', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Tue Jul 4 17:17:00 2017', savedsearch_name="Bucket Copy Trigger"][dPfPMAzihUAvwu25DGs55Xf1CJsx05R0VRu89fmCPrNTLq5bZvkWXn2/r5yXWMMHCnOuN2+ck805owYpyl70Dhe/mJnUf5oJiZ6xHsxFCYUp2IEQsNbJhwWzSDI6mKT/zcvoZcG3TrR4YJYGyFunuCaC/PLFJxN7rHILOFLTC3E=] 07-04-2017 17:17:15.698 +0200 INFO AuditLogger - Audit:[timestamp=07-04-2017 17:17:15.697, id=176567, user=splunk-system-user, action=search, info=completed, search_id='scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1499181420_516', total_run_time=0.96, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1499181421, api_et=N/A, api_lt=1499181420.000000000, search_et=N/A, search_lt=1499181420.000000000, is_realtime=0, savedsearch_name="Bucket Copy Trigger", search_startup_time="79", searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0][HY9tJiOsMSviYt8vKpwZtMaxWY1ng/Gf/DrLJQkwCoPtzFPZyRkJTu1hz21lGSSdiyEpJ8PojFl1PRjpHygGU/eEF/nwygcSWQ0Prjw+qM8QTqRjNOqTy/J6HKnoWGZEeR7SevX3D8msTga+/GZVUpzGOv/ptEIVXWVhGsldLkE=]
I'm wondering what the command
| archivebucket does on a heavyforwarder. I'm aware in the second entry it sais that no events were found.
I'm asking because we seem to have some applicational performance issues after exactly those log entries and I wanted to be sure that they are absolutely unrelated. I believe, the command
| archivebuckets does exactly nothing when 0 events were found?
What is the purpose of that command? It seems I can not find any documentation about it?
| archivebuckets command is used to archive splunk indexed data to hadoop or s3.
Here is a link about splunk archiving to hadoop or s3 : http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/ArchivingindexestoHadoop
| archivebuckets command is enabled by default and will run every hour. This command will perform archiving and use cpu only if archiving is setup. In your case, since you haven't setup archiving, command will detect that and will exit with 0 events. This command should be unrelated to application performance issue.