FreeBSD Manual Pages
RASPLIT(1) General Commands Manual RASPLIT(1) NAME rasplit - split argus(8) data. SYNOPSIS rasplit [[-M splitmode] [splitmode options]] [raoptions] [-- filter-ex- pression] DESCRIPTION Rasplit reads argus data from an argus-data source, and splits the re- sulting output into consecutive sections of records based on size, count time, or flow event, writing the output into a set of output- files. By default, rasplit puts 10,000 records of input into each ar- gus output file, or standard out. The output files' name consists of a prefix, which is specified using the -w ra option, and a suffix, which is created for each resulting file. If no prefix is provided, then rasplit will use 'x' as the de- fault prefix. The suffix that is used is determined by the mode of op- eration. When rasplit is using the default count mode or the size mode, the suffix is a group of letters 'aa', 'ab', and so on, such that concatenating the output files in sorted order by file name produces the original input file. If rasplit will need to create more output files than are allowed by the default suffix strategy, more letters will be added, in order to accomodate the needed files. When the mode is time mode, the default output filename suffix is '%Y.%m.%d.%h.%m.%s', which is used by strftime() to create an output filename that is time oriented. This default is overrided by adding a '%' extension to the name provided on the commandline using the -w op- tion. When standard out is specified, using -w -, rasplit will output a sin- gle argus-stream with START and STOP argus management records inserted appropriately to indicate where the output is split. See argus(8) for more information on output stream formats. When rasplit is spliting on output record count (the default), the num- ber of records is specified as an ordinal counter, the default is 10,000 records. When rasplit is spliting based on the maximum output file size, the size is specified as bytes. The scale of the bytes can be specified by appending 'b', 'k' and 'm' to the number provided. When rasplit is spliting based on time, the time period is specified with the option, and can be any period based in seconds (s), minutes (m), hours (h), days (d), weeks (w), months (M) or years (y). Rasplit will create and modify records as required to split on prescribed time boundaries. If any record spans a time boundary, the record is split and the metrics are adjusted using a uniform distribution model to dis- tribute the statistics between the two records. Care is taken to avoid records with zero packet and byte counts, that could result from round- off error. When rasplit is spliting based on flow event, the flow that acts as the event marker is specified using a standard ra filter expression, that is bounded by quotes ("). Records that preceed the first flow event in the data stream are written to the specified output file, and then new files are generated with the flow event record being the first record of the new file. This method will allow you to use wire events as triggers for spliting data. RASPLIT SPECIFIC OPTIONS Rasplit, like all ra based clients, supports a number of ra options in- cluding remote data access, reading from multiple files and filtering of input argus records through a terminating filter expression. ras- plit(1) specific options are: -a suffix length default is 2 characters. -d Toggle running as a deamon. -M splitmode Supported spliting modes are: count <num> size <size> time <period> flow "filter-expression" -w filename Rasplit supports an extended -w option that allows for output record contents to be inserted into the output filename. Speci- fied using '$' (dollar) notation, any printable field can be used. Care should be taken to honor any shell escape requirements when specifying on the command line. See ra(1) for the list of print- able fields. Another extended feature, when using time mode, rasplit will process the supplied filename using strftime(3), so that time fields can be inserted into the resulting output filename. INVOCATION This invocation reads argus(8) data from inputfile and splits the ar- gus(8) data stream based on output file size of no greater than 1 Megabyte. The resulting output files have a prefix of argus. and suf- fix that starts with 'aa'. The single trailing '.' is significant. rasplit -r inputfile -M size 1m -w argus. This invocation splits inputfile based on hard 10 minute time bound- aries. The resulting output files are created with a prefix of /archive/%Y/%m/%d/argus. and the suffix is %H.%M.%S. The values will be supplied based on the time in the record being written out. rasplit -r * -M time 10m -w "/archive/%Y/%m/%d/argus.%H.%M.%S" This invocation splits inputfile based on the argus source identifier. The resulting output files are created with a prefix of /archive/Source Identifier/argus. and the default suffix starting with "aa". The source identifier will be supplied based on the contents of the record being exported. rasplit -r * -M time 10m -w "/archive/$srcid/argus." This invocation splits inputfile based on a flow event marker. The re- sulting output files are created with a prefix of 'outfile.' and the default suffix starting with "aa". Whenever a ping to a specific host is seen in the stream, a new output file is generated. rasplit -r * -M flow "echo and host 1.2.3.4" -w outfile. COPYRIGHT Copyright (c) 2000-2016 QoSient. All rights reserved. SEE ALSO ra(1), rarc(5), argus(8), AUTHORS Carter Bullard (carter@qosient.com). rasplit 3.0.8 12 August 2003 RASPLIT(1)
NAME | SYNOPSIS | DESCRIPTION | RASPLIT SPECIFIC OPTIONS | INVOCATION | COPYRIGHT | SEE ALSO | AUTHORS
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=rasplit&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>