Retrieving Data from Archive

Unanswered Question
Oct 16th, 2008

Silly question, I just started archiving data to a NFS share. If I want to search that archived data what is the process? Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mhellman Fri, 10/17/2008 - 05:18

There is no way to do that today using MARS. The RAW messages are just gzipped files in the archive though, so you could search them yourself. On a Linux box, you could do something like this:

Say I want to find any raw messages with a give username in them during october:

cd /archive-dir/

find ./2008-10*/ES/ -type f -name rm-* | xargs zgrep -i

There are lots of variations on the above. Take a look at the archive directory structure. Each day has its own directory. The gzipped raw messages are stored in the ES directory and start with "rm-". They have the date/hour range in the filename so you can easily narrow down the list of files to search through using date/hour. So, to only look for events in October for the above user that occured between 7-9am(roughly):

find ./2008-10*/ES/ -type f -name rm-*_2008-10-01-0[6-9]* | xargs zgrep -i

PaulWelc Fri, 10/17/2008 - 05:57

Thanks mhellman. I notice when I do a diskusage command at the CLI it sees the archive disk. Do you know if MARS would actually search the archive partition for any information if it can't find it on the local hard drive?

Actions

This Discussion