[Bro] "bro-cut -d | grep" vs. "grep | bro-cut -d"
Vlad Grigorescu
vladg at cmu.edu
Fri Mar 29 08:24:34 PDT 2013
bro-cut relies on the header fields. You can use something like this:
> grep -E '(^#|light)'
--Vlad
On Mar 29, 2013, at 11:17 AM, James Lay <jlay at slave-tothe-box.net>
wrote:
> Topic (sorta) says it. Example:
>
> [08:49:21 ids:~/broarchive/03-28-2013$] zcat dns.log.gz | grep light |
> bro-cut -d
>
> [08:49:25 ids:~/broarchive/03-28-2013$] zcat dns.log.gz | bro-cut -d |
> grep light
> 2013-03-28T20:42:09-0600 X8KFdodB5Ie x.x.x.x 55051
> x.x.x.x 53 udp 43494 www.lighting.com 1
> C_INTERNET 1 A 0 NOERROR F F T
> T 0 x.x.x.x 3600.000000
> [08:49:50 ids:~/broarchive/03-28-2013$]
>
> I'd like to grep out the content before sending to bro-cut as it takes
> a fraction of the time (as shown above). I've made sure that no
> colorization is happening. Any hints on how I can get this to fly?
> Thank you.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list