[Bro] "bro-cut -d | grep" vs. "grep | bro-cut -d"

James Lay jlay at slave-tothe-box.net
Fri Mar 29 08:17:52 PDT 2013


Topic (sorta) says it.  Example:

[08:49:21 ids:~/broarchive/03-28-2013$] zcat dns.log.gz | grep light | 
bro-cut -d

[08:49:25 ids:~/broarchive/03-28-2013$] zcat dns.log.gz | bro-cut -d | 
grep light
2013-03-28T20:42:09-0600        X8KFdodB5Ie     x.x.x.x    55051   
x.x.x.x    53      udp     43494   www.lighting.com      1       
C_INTERNET      1       A       0       NOERROR F       F       T       
T       0       x.x.x.x    3600.000000
[08:49:50 ids:~/broarchive/03-28-2013$]

I'd like to grep out the content before sending to bro-cut as it takes 
a fraction of the time (as shown above).  I've made sure that no 
colorization is happening.  Any hints on how I can get this to fly?  
Thank you.

James



More information about the Bro mailing list