10-16-2008 09:25 AM
Silly question, I just started archiving data to a NFS share. If I want to search that archived data what is the process? Thanks
10-17-2008 05:18 AM
There is no way to do that today using MARS. The RAW messages are just gzipped files in the archive though, so you could search them yourself. On a Linux box, you could do something like this:
Say I want to find any raw messages with a give username in them during october:
cd /archive-dir/
find ./2008-10*/ES/ -type f -name rm-* | xargs zgrep -i
There are lots of variations on the above. Take a look at the archive directory structure. Each day has its own directory. The gzipped raw messages are stored in the ES directory and start with "rm-". They have the date/hour range in the filename so you can easily narrow down the list of files to search through using date/hour. So, to only look for events in October for the above user that occured between 7-9am(roughly):
find ./2008-10*/ES/ -type f -name rm-*_2008-10-01-0[6-9]* | xargs zgrep -i
10-17-2008 05:57 AM
Thanks mhellman. I notice when I do a diskusage command at the CLI it sees the archive disk. Do you know if MARS would actually search the archive partition for any information if it can't find it on the local hard drive?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide