[Bro] How to parse bro decimal timestamps?
Brad Cox
bradjcox at gmail.com
Sat Apr 16 13:44:06 PDT 2016
Need to parse dates in java; using this in a spark streaming analytics pipeline.
Dr. Brad J. Cox Cell: 703-594-1883 Skype: dr.brad.cox
> On Apr 16, 2016, at 4:31 PM, Chris Walsh <chris at cwalsh.org> wrote:
>
> Depends on what you’re reading the logs with.
>
> You could use bro-cut with the ‘-d’ flag, to do the conversion for you.
>
> If you just need to do one-off date conversion:
>
> Using GNU date (takes date as is):
>
> $ date --date='@1459774793.429104’
> Mon Apr 4 12:59:53 UTC 2016
>
> OSX (wants the date as an integer)
>
> $ foobar=`echo 1459774793.429104 | cut -d. -f1`
> $ date -r $foobar
> Mon Apr 4 07:59:53 CDT 2016
>
>
> If you’re snarfing the timestamps into your own code, then it depends on what language/libraries you’re using.
>
>
>
>> On Apr 16, 2016, at 3:05 PM, Brad Cox <bradjcox at gmail.com> wrote:
>>
>> How do I turn the timestamp (ts) field in this example into a standard date format (java or unix dates for example?)
>>
>> set_separator ,
>> #empty_field (empty)
>> #unset_field -
>> #path conn
>> #open 2016-04-04-09-00-04
>> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
>> #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
>> 1459774793.429104 CZgDTe31Z6ynNuzgN7 fe80::c874:93f:5b4e:c1e1 64648 ff02::1:3 5355 udp dns 0.412428 44 0 S0 F F 0 D 2 140 0 0 (empty)
>> 1459774793.429113 Ci77TT3Kp4dNmhAYc1 172.16.2.33 64648 224.0.0.252 5355 udp dns 0.412434 44 0 S0 F F 0 D 2 100 0 0 (empty)
>>
>
More information about the Bro
mailing list