mhellman Fri, 10/17/2008 - 05:18
User Badges:
  • Blue, 1500 points or more

There is no way to do that today using MARS. The RAW messages are just gzipped files in the archive though, so you could search them yourself. On a Linux box, you could do something like this:


Say I want to find any raw messages with a give username in them during october:


cd /archive-dir/

find ./2008-10*/ES/ -type f -name rm-* | xargs zgrep -i


There are lots of variations on the above. Take a look at the archive directory structure. Each day has its own directory. The gzipped raw messages are stored in the ES directory and start with "rm-". They have the date/hour range in the filename so you can easily narrow down the list of files to search through using date/hour. So, to only look for events in October for the above user that occured between 7-9am(roughly):


find ./2008-10*/ES/ -type f -name rm-*_2008-10-01-0[6-9]* | xargs zgrep -i





PaulWelc Fri, 10/17/2008 - 05:57
User Badges:

Thanks mhellman. I notice when I do a diskusage command at the CLI it sees the archive disk. Do you know if MARS would actually search the archive partition for any information if it can't find it on the local hard drive?

Actions

This Discussion