|-a suffix length|
|Starting append suffix length. The default is 2 characters.|
Buffer hold time before processing. This value is usually in
the 5-15 second range and provides time for rastream to sort records
and schedule outputfile processing. The number is derived from the
larges FAR status interval of all the argus data sources encountered.
Post processing program. rastream, will execute this program
just after closing the output file, passing the full path to the
closed output file as a parameter, using this convention:
This allows you to post-process the output file in an automated fashion.
Generally, this program can do anything you like, such as aggregating and correcting flow records, labeling records for semantic enhancement, indexing the files, using programs like rasqltimeindex(), and compressing the files. Traditionally, the program has been a shell-script, perl program, or php script, so that it can be easily modified, on the fly, but it can be any executable that can handle the "-r filename" parameter convention. The program should provides its own accountability and error logging, so that you know that things are working as you expect.
rastream must have a path to the program, the program must be executable, and rastream must have permission to run the program for this strategy to be successful.
An example rastream.sh is provided in the ./support/Config directory.
Supported spliting modes are:
count <num> size <size> time <period> flow "filter-expression"
Rastream supports an extended -w option that allows for
output record contents to be inserted into the output filename.
Specified using $ (dollar) notation, any printable field can be used.
Care should be taken to honor any shell escape requirements when
specifying on the command line. See ra(1) for the list of
Another extended feature, when using time mode, rastream will process the supplied filename using strftime(3), so that time fields can be inserted into the resulting output filename.
This invocation reads argus(8) data from inputfile and splits the argus(8) data stream based on output file size of no greater than 1 Megabyte. The resulting output files have a prefix of argus. and suffix that starts with aa. The single trailing . is significant.
rastream -r inputfile -M size 1m -w argus.
This invocation splits inputfile based on hard 10 minute time boundaries. The resulting output files are created with a prefix of /archive/%Y/%m/%d/argus. and the suffix is %H.%M.%S. The values will be supplied based on the time in the record being written out.rastream -r * -M time 10m -w "/archive/%Y/%m/%d/argus.%H.%M.%S"
This invocation splits inputfile based on the argus source identifier. The resulting output files are created with a prefix of /archive/Source Identifier/argus. and the default suffix starting with "aa". The source identifier will be supplied based on the contents of the record being exported.rastream -r * -M time 10m -w "/archive/$srcid/argus."This invocation splits inputfile based on a flow event marker. The resulting output files are created with a prefix of outfile. and the default suffix starting with "aa". Whenever a ping to a specific host is seen in the stream, a new output file is generated.
rastream -r * -M flow "echo and host 22.214.171.124" -w outfile.
Copyright (c) 2000-2014 QoSient. All rights reserved.
Carter Bullard (firstname.lastname@example.org).
|rastream 3.0.8||RASTREAM (1)||12 August 2003|