zeek-cut(1) User Commands zeek-cut(1)
NAME
zeek-cut - parse Zeek logs
SYNOPSIS
zeek-cut [options] [columns]
DESCRIPTION
Extracts the given columns from ASCII Zeek logs on standard input, and
outputs them to standard output. If no field names are given, all are
selected. By default, zeek-cut does not include format header blocks in
the output.
Columns are specified as a list of space-separated field names. The
order of field names given to zeek-cut determines the output order,
which means zeek-cut can be used to reorder columns.
The ASCII Zeek logs read on standard input must have intact format
header blocks because zeek-cut needs this information to correctly
interpret the log file format. In fact, zeek-cut can process the con-
catenation of multiple ASCII log files that have different column lay-
outs.
OPTIONS
-c Include the first format header block in the output.
-C Include all format header blocks in the output.
-d Convert time values into human-readable format.
-D <fmt> Like -d, but specify format for time (see strftime(3) for syn-
tax).
-F <ofs> Sets a different output field separator character.
-h Show help.
-n Print all fields except those specified.
-u Like -d, but print timestamps in UTC instead of local time.
-U <fmt> Like -D, but print timestamps in UTC instead of local time.
ENVIRONMENT
ZEEK_CUT_TIMEFMT
For time conversion option -d or -u, the format string can be
specified by setting this environment variable.
EXAMPLES
Output three columns and convert time values:
cat conn.log | zeek-cut -d ts id.orig_h id.orig_p
Output all columns and convert time values with a custom format string:
cat conn.log | zeek-cut -D "%Y-%m-%d %H:%M:%S"
Compressed logs must be uncompressed with another utility:
zcat conn.log.gz | zeek-cut
SEE ALSO
strftime(3)
AUTHOR
zeek-cut was written by The Zeek Project <info@zeek.org>.
zeek-cut November 2014 zeek-cut(1)
zeek 3.0.0 - Generated Tue Nov 5 05:55:51 CST 2019