1RASPLIT(1)                  General Commands Manual                 RASPLIT(1)
2
3
4

NAME

6       rasplit - split argus(8) data.
7

SYNOPSIS

9       rasplit  [[-M  splitmode]  [splitmode options]] [raoptions] [-- filter-
10       expression]
11

DESCRIPTION

13       Rasplit reads argus data from an  argus-data  source,  and  splits  the
14       resulting  output  into  consecutive sections of records based on size,
15       count time, or flow event, writing the output into  a  set  of  output-
16       files.   By  default,  rasplit  puts  10,000 records of input into each
17       argus output file, or standard out.
18
19       The output files' name consists of a prefix, which is  specified  using
20       the  -w  ra  option,  and a suffix, which is created for each resulting
21       file.  If no prefix is provided, then  rasplit  will  use  'x'  as  the
22       default  prefix.   The suffix that is used is determined by the mode of
23       operation.  When rasplit is using the default count mode  or  the  size
24       mode, the suffix is a group of letters 'aa', ´ab´, and so on, such that
25       concatenating the output files in sorted order by  file  name  produces
26       the  original  input  file.  If rasplit will need to create more output
27       files than are allowed by the default  suffix  strategy,  more  letters
28       will  be added, in order to accomodate the needed files.  When the mode
29       is   time   mode,   the   default    output    filename    suffix    is
30       '%Y.%m.%d.%h.%m.%s',  which  is  used by strftime() to create an output
31       filename that is time oriented.  This default is overrided by adding  a
32       '%'  extension  to  the  name  provided on the commandline using the -w
33       option.
34
35       When standard out is specified, using -w -, rasplit will output a  sin‐
36       gle  argus-stream with START and STOP argus management records inserted
37       appropriately to indicate where the output is split.  See argus(8)  for
38       more information on output stream formats.
39
40       When rasplit is spliting on output record count (the default), the num‐
41       ber of records is specified as  an  ordinal  counter,  the  default  is
42       10,000  records.   When rasplit is spliting based on the maximum output
43       file size, the size is specified as bytes.  The scale of the bytes  can
44       be specified by appending 'b', 'k' and 'm' to the number provided.
45
46       When  rasplit  is  spliting based on time, the time period is specified
47       with the option, and can be any period based in  seconds  (s),  minutes
48       (m),  hours (h), days (d), weeks (w), months (M) or years (y).  Rasplit
49       will create and modify records as required to split on prescribed  time
50       boundaries.   If  any record spans a time boundary, the record is split
51       and the metrics are adjusted using a uniform distribution model to dis‐
52       tribute the statistics between the two records.  Care is taken to avoid
53       records with zero packet and byte counts, that could result from round‐
54       off error.
55
56       When rasplit is spliting based on flow event, the flow that acts as the
57       event marker is specified using a standard ra filter  expression,  that
58       is bounded by quotes (").  Records that preceed the first flow event in
59       the data stream are written to the specified output file, and then  new
60       files  are  generated with the flow event record being the first record
61       of the new file.  This method will allow you  to  use  wire  events  as
62       triggers for spliting data.
63
64

RASPLIT SPECIFIC OPTIONS

66       Rasplit,  like  all  ra  based clients, supports a number of ra options
67       including remote data access, reading from multiple files and filtering
68       of  input  argus records through a terminating filter expression.  ras‐
69       plit(1) specific options are:
70
71       -a suffix length
72            default is 2 characters.
73
74       -d   Toggle running as a deamon.
75
76       -M splitmode
77            Supported spliting modes are:
78                count <num>
79                 size <size>
80                 time <period>
81                 flow "filter-expression"
82
83       -w filename
84            Rasplit supports an extended -w  option  that  allows  for  output
85            record  contents  to be inserted into the output filename.  Speci‐
86            fied using '$' (dollar) notation, any printable field can be used.
87            Care  should  be taken to honor any shell escape requirements when
88            specifying on the command line.  See ra(1) for the list of  print‐
89            able fields.
90
91            Another  extended  feature,  when  using  time  mode, rasplit will
92            process the supplied filename  using  strftime(3),  so  that  time
93            fields can be inserted into the resulting output filename.
94
95

INVOCATION

97       This  invocation  reads  argus(8)  data  from  inputfile and splits the
98       argus(8) data stream based on output file size of  no  greater  than  1
99       Megabyte.  The resulting output files have a prefix of argus.  and suf‐
100       fix that starts with 'aa'.  The single trailing '.' is significant.
101
102          rasplit -r inputfile -M size 1m -w argus.
103
104
105       This invocation splits inputfile based on hard 10  minute  time  bound‐
106       aries.   The  resulting  output files are created with a prefix of /ar‐
107       chive/%Y/%m/%d/argus.  and the suffix is %H.%M.%S.  The values will  be
108       supplied based on the time in the record being written out.
109
110          rasplit -r * -M time 10m -w "/archive/%Y/%m/%d/argus.%H.%M.%S"
111
112
113       This  invocation splits inputfile based on the argus source identifier.
114       The resulting output files are created with a prefix of /archive/Source
115       Identifier/argus.   and  the  default  suffix starting with  "aa".  The
116       source identifier will be supplied based on the contents of the  record
117       being exported.
118
119          rasplit -r * -M time 10m -w "/archive/$srcid/argus."
120
121       This  invocation  splits  inputfile  based on a flow event marker.  The
122       resulting output files are created with a prefix of 'outfile.' and  the
123       default suffix starting with  "aa".  Whenever a ping to a specific host
124       is seen in the stream, a new output file is generated.
125
126          rasplit -r * -M flow "echo and host 1.2.3.4" -w outfile.
127
128
130       Copyright (c) 2000-2016 QoSient. All rights reserved.
131
132

SEE ALSO

134       ra(1), rarc(5), argus(8),
135
136

AUTHORS

138       Carter Bullard (carter@qosient.com).
139
140
141
142rasplit 3.0.8                   12 August 2003                      RASPLIT(1)
Impressum