bro-cut relies on the header fields. You can use something like this:
grep -E '(^#|light)'
--Vlad
Thanks Vlad that does help. I guess I should explain my usage as well. I see some event, and I go right to current and:
grep x.x.x.x *
and get lot's of good information, but no timestamp. Interestingly, the below works:
cat * | egrep '(^#|x.x.x.x)' | /opt/bin/bro-cut -d
but the below script and execution does not (no results)
#!/bin/bash
#cleanbro
cat * | egrep '(^#|$1)' | /opt/bin/bro-cut -d
./cleanbro x.x.x.x
I really just want to be able to look through all logs for the current day (rotation every 24 hours) and for the past days..I don't really just choose one log, I check them all. I had my suspicions up front that the timestamp was going to be an issue. Devs, any chance you can get an option in for human readable timestamps IN logs? Thanks.
James
I’ve also dropped this in an executable script and piped my output to it (naturally it assumes the timestamp is the first field):
#!/bin/gawk
{
val=strftime("%Y-%m-%dT%H:%M:%S%z", $1, 0)
$1=val
print $0
}
Cheers,
Jesse