"bro-cut -d | grep" vs. "grep | bro-cut -d"

Topic (sorta) says it. Example:

[08:49:21 ids:~/broarchive/03-28-2013$] zcat dns.log.gz | grep light | bro-cut -d

[08:49:25 ids:~/broarchive/03-28-2013$] zcat dns.log.gz | bro-cut -d | grep light
2013-03-28T20:42:09-0600 X8KFdodB5Ie x.x.x.x 55051 x.x.x.x 53 udp 43494 www.lighting.com 1 C_INTERNET 1 A 0 NOERROR F F T T 0 x.x.x.x 3600.000000
[08:49:50 ids:~/broarchive/03-28-2013$]

I'd like to grep out the content before sending to bro-cut as it takes a fraction of the time (as shown above). I've made sure that no colorization is happening. Any hints on how I can get this to fly? Thank you.

James

Hi James,

I asked a similar question under a subject like “Feature request; up to 50% done?” and got this answer from Seth, which solves some of the problems I think you’re trying to solve…

Cheers,

Jesse

So, I suppose I’m requesting that someone with more gawk chops than myself give a shot at integrating this into bro-cut

I tend to use these lines in my profile…

alias bro-column=“sed "s/fields.//;s/types.//" | column -s $‘\t’ -t”
alias bro-awk=‘awk -F" "’
bro-grep() { grep -E “(^#)|$1” $2; }
bro-zgrep() { zgrep -E “(^#)|$1” $2; }

What you’re trying to do can then be accomplished like this…

bro-zgrep ‘10.10.10.10’ /usr/local/bro/logs/conn.*.log.gz | bro-cut id.orig_h,id.resp_h

It would be handy to be able to do this through bro-cut though but that would make bro-cut start to sound like an incorrectly named utility. :slight_smile:

Have you tried using the ElasticSearch writer and Brownian?

.Seth

Thanks for the repost Jess, that helps :slight_smile:

James