Hi all
We are running Splunk on a distributed environment. We have an Index Cluster (8 nodes). Also on each system in our company we have installed a heavyforwarder which connects to said index cluster.
Now, on one of our Splunk heavyforwarders I'm seeing the following two entries in the audit.log file:
07-04-2017 17:17:01.048 +0200 INFO AuditLogger - Audit:[timestamp=07-04-2017 17:17:01.047, id=176549, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1499181420_516', search='| archivebuckets', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Tue Jul 4 17:17:00 2017', savedsearch_name="Bucket Copy Trigger"][dPfPMAzihUAvwu25DGs55Xf1CJsx05R0VRu89fmCPrNTLq5bZvkWXn2/r5yXWMMHCnOuN2+ck805owYpyl70Dhe/mJnUf5oJiZ6xHsxFCYUp2IEQsNbJhwWzSDI6mKT/zcvoZcG3TrR4YJYGyFunuCaC/PLFJxN7rHILOFLTC3E=]
07-04-2017 17:17:15.698 +0200 INFO AuditLogger - Audit:[timestamp=07-04-2017 17:17:15.697, id=176567, user=splunk-system-user, action=search, info=completed, search_id='scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1499181420_516', total_run_time=0.96, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1499181421, api_et=N/A, api_lt=1499181420.000000000, search_et=N/A, search_lt=1499181420.000000000, is_realtime=0, savedsearch_name="Bucket Copy Trigger", search_startup_time="79", searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0][HY9tJiOsMSviYt8vKpwZtMaxWY1ng/Gf/DrLJQkwCoPtzFPZyRkJTu1hz21lGSSdiyEpJ8PojFl1PRjpHygGU/eEF/nwygcSWQ0Prjw+qM8QTqRjNOqTy/J6HKnoWGZEeR7SevX3D8msTga+/GZVUpzGOv/ptEIVXWVhGsldLkE=]
I'm wondering what the command | archivebucket does on a heavyforwarder. I'm aware in the second entry it sais that no events were found.
I'm asking because we seem to have some applicational performance issues after exactly those log entries and I wanted to be sure that they are absolutely unrelated. I believe, the command | archivebuckets does exactly nothing when 0 events were found?
What is the purpose of that command? It seems I can not find any documentation about it?
-Muryoutaisuu
... View more