Deployment Architecture

What does archivebuckets do on a heavyforwarder?

Muryoutaisuu
Communicator

Hi all

We are running Splunk on a distributed environment. We have an Index Cluster (8 nodes). Also on each system in our company we have installed a heavyforwarder which connects to said index cluster.
Now, on one of our Splunk heavyforwarders I'm seeing the following two entries in the audit.log file:

07-04-2017 17:17:01.048 +0200 INFO  AuditLogger - Audit:[timestamp=07-04-2017 17:17:01.047, id=176549, user=splunk-system-user, action=search, info=granted , search_id='scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1499181420_516', search='| archivebuckets', autojoin='1', buckets=0, ttl=7200, max_count=500000, maxtime=8640000, enable_lookups='1', extra_fields='', apiStartTime='ZERO_TIME', apiEndTime='Tue Jul  4 17:17:00 2017', savedsearch_name="Bucket Copy Trigger"][dPfPMAzihUAvwu25DGs55Xf1CJsx05R0VRu89fmCPrNTLq5bZvkWXn2/r5yXWMMHCnOuN2+ck805owYpyl70Dhe/mJnUf5oJiZ6xHsxFCYUp2IEQsNbJhwWzSDI6mKT/zcvoZcG3TrR4YJYGyFunuCaC/PLFJxN7rHILOFLTC3E=]

07-04-2017 17:17:15.698 +0200 INFO  AuditLogger - Audit:[timestamp=07-04-2017 17:17:15.697, id=176567, user=splunk-system-user, action=search, info=completed, search_id='scheduler__nobody_c3BsdW5rX2FyY2hpdmVy__RMD5473cbac83d6c9db7_at_1499181420_516', total_run_time=0.96, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1499181421, api_et=N/A, api_lt=1499181420.000000000, search_et=N/A, search_lt=1499181420.000000000, is_realtime=0, savedsearch_name="Bucket Copy Trigger", search_startup_time="79", searched_buckets=0, eliminated_buckets=0, considered_events=0, total_slices=0, decompressed_slices=0][HY9tJiOsMSviYt8vKpwZtMaxWY1ng/Gf/DrLJQkwCoPtzFPZyRkJTu1hz21lGSSdiyEpJ8PojFl1PRjpHygGU/eEF/nwygcSWQ0Prjw+qM8QTqRjNOqTy/J6HKnoWGZEeR7SevX3D8msTga+/GZVUpzGOv/ptEIVXWVhGsldLkE=]

I'm wondering what the command | archivebucket does on a heavyforwarder. I'm aware in the second entry it sais that no events were found.

I'm asking because we seem to have some applicational performance issues after exactly those log entries and I wanted to be sure that they are absolutely unrelated. I believe, the command | archivebuckets does exactly nothing when 0 events were found?

What is the purpose of that command? It seems I can not find any documentation about it?

-Muryoutaisuu

0 Karma
1 Solution

kpawar_splunk
Splunk Employee
Splunk Employee

| archivebuckets command is used to archive splunk indexed data to hadoop or s3.
Here is a link about splunk archiving to hadoop or s3 : http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/ArchivingindexestoHadoop
| archivebuckets command is enabled by default and will run every hour. This command will perform archiving and use cpu only if archiving is setup. In your case, since you haven't setup archiving, command will detect that and will exit with 0 events. This command should be unrelated to application performance issue.

View solution in original post

0 Karma

kpawar_splunk
Splunk Employee
Splunk Employee

| archivebuckets command is used to archive splunk indexed data to hadoop or s3.
Here is a link about splunk archiving to hadoop or s3 : http://docs.splunk.com/Documentation/Splunk/6.6.2/Indexer/ArchivingindexestoHadoop
| archivebuckets command is enabled by default and will run every hour. This command will perform archiving and use cpu only if archiving is setup. In your case, since you haven't setup archiving, command will detect that and will exit with 0 events. This command should be unrelated to application performance issue.

0 Karma

Muryoutaisuu
Communicator

Ok, thx for confirming!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...