bro-cut(1) User Commands bro-cut(1)
NAME
bro-cut - parse Bro logs
SYNOPSIS
bro-cut [options] [columns]
DESCRIPTION
Extracts the given columns from ASCII Bro logs on standard input, and
outputs them to standard output. If no field names are given, all are
selected. By default, bro-cut does not include format header blocks in
the output.
Columns are specified as a list of space-separated field names. The
order of field names given to bro-cut determines the output order,
which means bro-cut can be used to reorder columns.
The ASCII Bro logs read on standard input must have intact format
header blocks because bro-cut needs this information to correctly
interpret the log file format. In fact, bro-cut can process the con-
catenation of multiple ASCII log files that have different column lay-
outs.
OPTIONS
-c Include the first format header block in the output.
-C Include all format header blocks in the output.
-d Convert time values into human-readable format.
-D <fmt> Like -d, but specify format for time (see strftime(3) for syn-
tax).
-F <ofs> Sets a different output field separator character.
-h Show help.
-n Print all fields except those specified.
-u Like -d, but print timestamps in UTC instead of local time.
-U <fmt> Like -D, but print timestamps in UTC instead of local time.
ENVIRONMENT
BRO_CUT_TIMEFMT
For time conversion option -d or -u, the format string can be
specified by setting this environment variable.
EXAMPLES
Output three columns and convert time values:
cat conn.log | bro-cut -d ts id.orig_h id.orig_p
Output all columns and convert time values with a custom format string:
cat conn.log | bro-cut -D "%Y-%m-%d %H:%M:%S"
Compressed logs must be uncompressed with another utility:
zcat conn.log.gz | bro-cut
SEE ALSO
strftime(3)
AUTHOR
bro-cut was written by The Bro Project <info@bro.org>.
bro-cut November 2014 bro-cut(1)
bro 2.6.1 - Generated Sun Feb 17 10:44:50 CST 2019