Hi,
i've read and tried this but somehow it does not work for me.
i've put the recommended settings into:
$SPLUNKHOME$/etc/system/local/props.conf
and also tried
$SPLUNKHOME$/etc/apps/search/local/props.conf
but it never really works.
Some events start in the middle of the indented block(eg at Start Time )
some start at the Date, but i never got the whole idendet Block into one event.
Here's an example of the data:
17-Jun 10:05 backup1.ber2-dir JobId 1948: Start Backup JobId 1948, Job=test.2011-06-17_10.05.00_40
17-Jun 10:05 backup1.ber2-dir JobId 1948: Using Device "FileStorage_test"
17-Jun 10:05 backup1.ber2-sd JobId 1948: Volume "test_new02" previously written, moving to end of data.
17-Jun 10:05 backup1.ber2-sd JobId 1948: Ready to append to end of Volume "test_new02" size=31846981494
17-Jun 10:10 backup1.ber2-sd JobId 1948: Job write elapsed time = 00:05:29, Transfer rate = 6.540 M Bytes/second
17-Jun 10:10 backup1.ber2-dir JobId 1948: Bacula backup1.ber2-dir 5.0.3 (04Aug10): 17-Jun-2011 10:10:39
Build OS: x86_64-unknown-linux-gnu debian 5.0.6
JobId: 1948
Job: test.2011-06-17_10.05.00_40
Backup Level: Incremental, since=2011-06-17 06:05:03
Client: "server11227.example.com-fd" 5.0.2 (28Apr10) x86_64-unknown-linux-gnu,redhat,Enterprise release
FileSet: "test Set" 2011-01-16 11:29:38
Pool: "File_test" (From Job resource)
Catalog: "MyCatalog" (From Client resource)
Storage: "File_test" (From Job resource)
Scheduled time: 17-Jun-2011 10:05:00
Start time: 17-Jun-2011 10:05:03
End time: 17-Jun-2011 10:10:39
Elapsed time: 5 mins 36 secs
Priority: 10
FD Files Written: 5
SD Files Written: 5
FD Bytes Written: 2,151,817,284 (2.151 GB)
SD Bytes Written: 2,151,817,820 (2.151 GB)
Rate: 6404.2 KB/s
Software Compression: None
VSS: no
Encryption: no
Accurate: no
Volume name(s): test_new02
Volume Session Id: 32
Volume Session Time: 1308035975
Last Volume Bytes: 34,000,395,480 (34.00 GB)
Non-fatal FD errors: 0
SD Errors: 0
FD termination status: OK
SD termination status: OK
Termination: Backup OK
17-Jun 10:10 backup1.ber2-dir JobId 1948: Begin pruning Jobs older than 6 months .
17-Jun 10:10 backup1.ber2-dir JobId 1948: No Jobs found to prune.
17-Jun 10:10 backup1.ber2-dir JobId 1948: Begin pruning Jobs.
17-Jun 10:10 backup1.ber2-dir JobId 1948: No Files found to prune.
17-Jun 10:10 backup1.ber2-dir JobId 1948: End auto prune.
Any help would be appreciated
Edit: Ah well i forgot:
Excerp from my props.conf:
[bacula]
BREAK_ONLY_BEFORE=^\d{2}-[A-Za-z]{3}\s+\d{2}:\d{2}\s+
SHOULD_LINEMERGE = true
TIME_FORMAT=%d-%b %H:%M
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=13
... View more
