Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parsing appended Robocopy job logs

anewell
Path Finder
‎03-01-2011 08:46 PM

Has anybody dealt with splunking Windows Robocopy.exe logs? I'm about to dive into it, and am looking for prior art. My input files are created by scheduled robocopy jobs which append their logs to the file. I think I'm dealing with a SHOULD_LINEMERGE and needing to decide on a LINEBREAKER.

Edit: My primary goal is to be able to report & graph the "Bytes copied" and job duration values over time. In the example below, the value I'm after is 741.88 m but I'd be thrilled to extract more than that.

The first 3 lines are produced by the batch script which calls Robocopy. Lines 4 onward are robocopy itself. Indexing lines 1-3 may be ignored for purposes of arriving at a generalized robocopy solution.

================================================= 
Servername 
================================================= 
-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows     ::     Version XP010
-------------------------------------------------------------------------------

  Started : Tue Mar 01 10:00:01 2011

   Source : \\Servername\DATA\
     Dest : D:\BACKUPS\

    Files : *.*

  Options : *.* /NS /NC /NDL /NFL /S /E /COPY:DATS /PURGE /NP /R:0 /W:30 

------------------------------------------------------------------------------

                D:\BACKUPS\file1.txt
                D:\BACKUPS\file2.txt
                D:\BACKUPS\file3.dat
                # SNIP #
                D:\BACKUPS\fileN.bak


------------------------------------------------------------------------------

                Total    Copied   Skipped  Mismatch    FAILED    Extras
     Dirs :      1801         3      1798         0         0         0
    Files :     90133      3366     86767         0         0      1210
    Bytes :  24.011 g  741.88 m  23.286 g         0         0  157.96 m
    Times :   0:07:18   0:03:53                       0:00:00   0:03:25

    Speed :             3333995 Bytes/sec.
    Speed :             190.772 MegaBytes/min.

    Ended : Tue Mar 01 10:07:20 2011
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-06-2011 02:14 AM

I would suggest the entire log here as a single event, then using extractions and/or multikv to get out the values you want. So 

[robocopy]
SHOULD_LINEMERGE = false
TRUNCATE = 0
LINE_BREAKER = ([\r\n]+)(?=-{79}[\r\n]+\s+ROBOCOPY)
TIME_PREFIX = Started\s+:\s*
TIME_FORMAT = %a %b %d %H:%M:%S %Y
MAX_TIMESTAMP_LOOKAHEAD = 40
EXTRACT-bytes = [\r\n]+\s*Bytes\s+:\s+(?<bytestotal>[\d\.]+)\s*(?<bytestotalunits>[kmgtKMGT])?\s+(?<bytescopied>[\d\.]+)\s*(?<bytescopiedunits)[kmgtKMGT])?

If each job run is in a separate file, you could also use LINE_BREAKER = (?!), which means it will never break and the whole file is a single event.

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...