Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

training splunk to recognize events from bacula

ebailey
Communicator
‎03-14-2011 07:20 PM

I am running into trouble getting splunk to properly break down events from bacula. Below is an example of a bacula event. The below represents a single backup job in the bacula log. I thought it would be easy to setup since every backup job has a common JobId. I thought I would be able to give splunk a line_breaker and then a regex but that is not working. Do I need to use the transaction command instead? I appreciate any help since I am getting no where fast.

Thanks

Ed

14-Mar 04:09 xxx-dir JobId 211: Start Backup JobId 211, Job=xxx.2011-03-14_04.05.00_29
14-Mar 04:09 xxx-dir JobId 211: Using Device "FileStorage"
14-Mar 04:09 xxx-sd JobId 211: Volume "Vol0007" previously written, moving to end of data.
14-Mar 04:09 xxx-sd JobId 211: Ready to append to end of Volume "Vol0007" size=36444353196
14-Mar 04:09 xxx-sd JobId 211: Job write elapsed time = 00:00:01, Transfer rate = 1.871 M Bytes/second
14-Mar 04:09 xxx-dir JobId 211: Bacula xxx-dir 5.0.3 (30Aug10): 14-Mar-2011 04:09:16
  Build OS:               i686-redhat-linux-gnu redhat Enterprise release
  JobId:                  211
  Job:                    chi01fep110.2011-03-14_04.05.00_29
  Backup Level:           Incremental, since=2011-03-13 04:07:25
  Client:                 "xxx-fd" 5.0.3 (30Aug10) i686-redhat-linux-gnu,redhat,Enterprise release
  FileSet:                "standard_etc" 2011-03-03 23:05:00
  Pool:                   "File" (From Job resource)
  Catalog:                "MyCatalog" (From Client resource)
  Storage:                "File" (From Job resource)
  Scheduled time:         14-Mar-2011 04:05:00
  Start time:             14-Mar-2011 04:09:16
  End time:               14-Mar-2011 04:09:16
  Elapsed time:           0 secs
  Priority:               10
  FD Files Written:       784
  SD Files Written:       784
  FD Bytes Written:       1,788,470 (1.788 MB)
  SD Bytes Written:       1,871,767 (1.871 MB)
  Rate:                   0.0 KB/s
  Software Compression:   64.7 %
  VSS:                    no
  Encryption:             no
  Accurate:               no
  Volume name(s):         Vol0007
  Volume Session Id:      146
  Volume Session Time:    1299264299
  Last Volume Bytes:      36,446,249,241 (36.44 GB)
  Non-fatal FD errors:    0
  SD Errors:              0
  FD termination status:  OK
  SD termination status:  OK
  Termination:            Backup OK

14-Mar 04:09 xxx-dir JobId 211: Begin pruning Jobs older than 1 month .
14-Mar 04:09 xxx-dir JobId 211: No Jobs found to prune.
14-Mar 04:09 xxx-dir JobId 211: Begin pruning Jobs.
14-Mar 04:09 xxx-dir JobId 211: No Files found to prune.
14-Mar 04:09 xxx-dir JobId 211: End auto prune.
Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎03-14-2011 07:37 PM

Hi Ed,

In this instance I personally would probably treat this as several events and use transaction as needed to weld them back together. I would probably use a BREAK_ONLY_BEFORE in props.conf such that lines with a date/time on them delinate events.

[bacula]
BREAK_ONLY_BEFORE=^\d{2}-[A-Za-z]{3}\s+\d{2}:\d{2}\s+
SHOULD_LINEMERGE = true
TIME_FORMAT=%d-%b %H:%M
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=13

Put that in your props.conf for this sourcetype. If it works right, your multi-line event should be treated as a single event. This will only take affect on data indexed after the change is made.

UPDATE - Ed, please try the above props.conf entry - it worked properly for me on your test data. Timestamps came out correct, and lines were delineated/merged appropriately.

Reply

dwaddle
SplunkTrust
SplunkTrust
‎03-16-2011 05:28 PM

Ed, see update above....

0 Karma
Reply

ebailey
Communicator
‎03-15-2011 02:49 AM

The event is still being broken up into pieces not related to the date/time. I added new data to the log after adding the above to the props.conf. Any ideas? Thanks!

0 Karma
Reply

ebailey
Communicator
‎03-15-2011 01:34 AM

Will give this a try and get back to you - Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...