[Bro] How to parse bro decimal timestamps?
Chris Walsh
chris at cwalsh.org
Sat Apr 16 15:43:05 PDT 2016
The value is the number of seconds since the epoch, including a fractional portion. Your problem with Java dealing with it is likely that Java wants the number of *milliseconds* since the epoch, so you should multiply what Bro gives you by 1000 (and dropping the fractional part) before converting it with whatever Java code you’re working with.
Chris
> On Apr 16, 2016, at 5:25 PM, Brad Cox <bradjcox at gmail.com> wrote:
>
> Java code would be nice, but a ordinary description of how a decimal date relates to standard dates would do. I'm familiar with Java/Unix conventions where a long integer specifies seconds since the Unix epoch (Jan 1970). But I've tried converting the bro decimal to long and converting that to a date. That gives a date sometime in 1970 which clearly isn't right. And what do the fractional values mean? Milliseconds perhaps?
>
> Dr. Brad J. Cox Cell: 703-594-1883 Skype: dr.brad.cox
>
>
>
>
>> On Apr 16, 2016, at 4:44 PM, Brad Cox <bradjcox at gmail.com> wrote:
>>
>> Need to parse dates in java; using this in a spark streaming analytics pipeline.
>>
>> Dr. Brad J. Cox Cell: 703-594-1883 Skype: dr.brad.cox
>>
>>
>>
>>
>>> On Apr 16, 2016, at 4:31 PM, Chris Walsh <chris at cwalsh.org> wrote:
>>>
>>> Depends on what you’re reading the logs with.
>>>
>>> You could use bro-cut with the ‘-d’ flag, to do the conversion for you.
>>>
>>> If you just need to do one-off date conversion:
>>>
>>> Using GNU date (takes date as is):
>>>
>>> $ date --date='@1459774793.429104’
>>> Mon Apr 4 12:59:53 UTC 2016
>>>
>>> OSX (wants the date as an integer)
>>>
>>> $ foobar=`echo 1459774793.429104 | cut -d. -f1`
>>> $ date -r $foobar
>>> Mon Apr 4 07:59:53 CDT 2016
>>>
>>>
>>> If you’re snarfing the timestamps into your own code, then it depends on what language/libraries you’re using.
>>>
>>>
>>>
>>>> On Apr 16, 2016, at 3:05 PM, Brad Cox <bradjcox at gmail.com> wrote:
>>>>
>>>> How do I turn the timestamp (ts) field in this example into a standard date format (java or unix dates for example?)
>>>>
>>>> set_separator ,
>>>> #empty_field (empty)
>>>> #unset_field -
>>>> #path conn
>>>> #open 2016-04-04-09-00-04
>>>> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
>>>> #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
>>>> 1459774793.429104 CZgDTe31Z6ynNuzgN7 fe80::c874:93f:5b4e:c1e1 64648 ff02::1:3 5355 udp dns 0.412428 44 0 S0 F F 0 D 2 140 0 0 (empty)
>>>> 1459774793.429113 Ci77TT3Kp4dNmhAYc1 172.16.2.33 64648 224.0.0.252 5355 udp dns 0.412434 44 0 S0 F F 0 D 2 100 0 0 (empty)
>>>>
>>>
>>
>
More information about the Bro
mailing list