- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Parsing appended Robocopy job logs
Has anybody dealt with splunking Windows Robocopy.exe logs? I'm about to dive into it, and am looking for prior art. My input files are created by scheduled robocopy jobs which append their logs to the file. I think I'm dealing with a SHOULD_LINEMERGE and needing to decide on a LINEBREAKER.
Edit: My primary goal is to be able to report & graph the "Bytes copied" and job duration values over time. In the example below, the value I'm after is 741.88 m but I'd be thrilled to extract more than that.
The first 3 lines are produced by the batch script which calls Robocopy. Lines 4 onward are robocopy itself. Indexing lines 1-3 may be ignored for purposes of arriving at a generalized robocopy solution.
=================================================
Servername
=================================================
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows :: Version XP010
-------------------------------------------------------------------------------
Started : Tue Mar 01 10:00:01 2011
Source : \\Servername\DATA\
Dest : D:\BACKUPS\
Files : *.*
Options : *.* /NS /NC /NDL /NFL /S /E /COPY:DATS /PURGE /NP /R:0 /W:30
------------------------------------------------------------------------------
D:\BACKUPS\file1.txt
D:\BACKUPS\file2.txt
D:\BACKUPS\file3.dat
# SNIP #
D:\BACKUPS\fileN.bak
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1801 3 1798 0 0 0
Files : 90133 3366 86767 0 0 1210
Bytes : 24.011 g 741.88 m 23.286 g 0 0 157.96 m
Times : 0:07:18 0:03:53 0:00:00 0:03:25
Speed : 3333995 Bytes/sec.
Speed : 190.772 MegaBytes/min.
Ended : Tue Mar 01 10:07:20 2011
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest the entire log here as a single event, then using extractions and/or multikv to get out the values you want. So
[robocopy]
SHOULD_LINEMERGE = false
TRUNCATE = 0
LINE_BREAKER = ([\r\n]+)(?=-{79}[\r\n]+\s+ROBOCOPY)
TIME_PREFIX = Started\s+:\s*
TIME_FORMAT = %a %b %d %H:%M:%S %Y
MAX_TIMESTAMP_LOOKAHEAD = 40
EXTRACT-bytes = [\r\n]+\s*Bytes\s+:\s+(?<bytestotal>[\d\.]+)\s*(?<bytestotalunits>[kmgtKMGT])?\s+(?<bytescopied>[\d\.]+)\s*(?<bytescopiedunits)[kmgtKMGT])?
If each job run is in a separate file, you could also use LINE_BREAKER = (?!), which means it will never break and the whole file is a single event.
