Hi Folks,
I can't tell if I'm reading the man page for bro-cut incorrectly or if
there's a bug.
bro-cut -c and bro-cut -C seems to output the same headers. The man page states:
-c Include the first format header block into the output.
-C Include all format header blocks into the output.
Can someone tell me what the difference should be?
Cheers,
Harry
The -C option is useful when bro-cut is reading more than one log file,
because it allows you to see the boundaries between each log file.
For example:
gunzip -c conn.*.log.gz | bro-cut -C
-C is also needed if the columns are expected to change at any point.. i.e.
cat conn.log dns.log |bro-cut -C uid id.orig_h query
or, something like dumping log archives for a time period that includes a bro version upgrade that added/removed fields.
Now that I really think about it, it would make the most sense for -C to only output a header block if there was a change from the previous one... and possibly -c should just do that too. Only outputting the first header block is possibly the wrong thing to do if the header block for the selected fields ever changes.