[Bro] How to parse bro decimal timestamps?

Brad Cox bradjcox at gmail.com
Sat Apr 16 15:25:13 PDT 2016 

Java code would be nice, but a ordinary description of how a decimal date relates to standard dates would do. I'm familiar with Java/Unix conventions where a long integer specifies seconds since the Unix epoch (Jan 1970). But I've tried converting the bro decimal to long and converting that to a date. That gives a date sometime in 1970 which clearly isn't right. And what do the fractional values mean? Milliseconds perhaps?

Dr. Brad J. Cox    Cell: 703-594-1883 Skype: dr.brad.cox




> On Apr 16, 2016, at 4:44 PM, Brad Cox <bradjcox at gmail.com> wrote:
> 
> Need to parse dates in java; using this in a spark streaming analytics pipeline.
> 
> Dr. Brad J. Cox    Cell: 703-594-1883 Skype: dr.brad.cox
> 
> 
> 
> 
>> On Apr 16, 2016, at 4:31 PM, Chris Walsh <chris at cwalsh.org> wrote:
>> 
>> Depends on what you’re reading the logs with.  
>> 
>> You could use bro-cut with the ‘-d’ flag, to do the conversion for you.
>> 
>> If you just need to do one-off date conversion:
>> 
>> Using GNU date (takes date as is):
>> 
>> $ date --date='@1459774793.429104’
>> Mon Apr  4 12:59:53 UTC 2016
>> 
>> OSX (wants the date as an integer)
>> 
>> $ foobar=`echo 1459774793.429104 | cut -d. -f1`
>> $ date -r $foobar
>> Mon Apr  4 07:59:53 CDT 2016
>> 
>> 
>> If you’re snarfing the timestamps into your own code, then it depends on what language/libraries you’re using.  
>> 
>> 
>> 
>>> On Apr 16, 2016, at 3:05 PM, Brad Cox <bradjcox at gmail.com> wrote:
>>> 
>>> How do I turn the timestamp (ts) field in this example into a standard date format (java or unix dates for example?)
>>> 
>>> set_separator	,
>>> #empty_field	(empty)
>>> #unset_field	-
>>> #path	conn
>>> #open	2016-04-04-09-00-04
>>> #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
>>> #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
>>> 1459774793.429104	CZgDTe31Z6ynNuzgN7	fe80::c874:93f:5b4e:c1e1	64648	ff02::1:3	5355	udp	dns	0.412428	44	0	S0	F	F	0	D	2	140	0	0	(empty)
>>> 1459774793.429113	Ci77TT3Kp4dNmhAYc1	172.16.2.33	64648	224.0.0.252	5355	udp	dns	0.412434	44	0	S0	F	F	0	D	2	100	0	0	(empty)
>>> 
>> 
>

More information about the Bro mailing list