I LOVE the software log. Legit. It’s awesome. I’m trying to create a report of sorts, with sed and awk, and for the life of me I’m having a tough time. Here’s what I got so far:
zcat software.log.gz | bro-cut -d | sed -e ‘s/<tab character here, ie ctrl-v, tab>/-/g’ -e ‘s/---[A-Z]{3,5}:
/’ -e ‘s/^.*0000-//’
This get me kinda close, but not close enough…here’s the raw entry:
2016-01-01T14:57:02+0000 x.x.x.x - HTTP::BROWSER Windows-Update-Agent 7 9 9600 18145 Client Windows-Update-Agent/7.9.9600.18145 Client-Protocol/1.21
What’ I’m really hoping for is this:
x.x.x.x Windows-Update-Agent/7.9.9600.18145 Client-Protocol/1.21
Just the IP address, and the last bit…the entire unparsed_version field. Anyone got a clever script to do something like this? Thank you.
James
Unless I’m missing what you’re trying to do, bro-cut already can do this for you:
cat software.log |bro-cut host unparsed_version
-Dop
You're going to laugh... That's what bro-cut is for 
# zcat software.log.gz | bro-cut host unparsed_version
Regular cut kind of works too, but bro-cut is faster and easier to use:
# zcat software.log.gz | egrep -v "^#" | cut -f 2,11
~% awk -F “\t” ‘{print $2,$11}’ software.log
Have you tried using bro-cut to specify the field names that you want?
zcat software.log.gz | bro-cut host name unparsed_version
# bro-cut host unparsed_version < software.log
should do it.
Johanna
Oh for......yugh 8-| Sigh....some days even the simplest of tasks are MIGHTY chores for me. OH LOOKIE HERE, HERE'S bro-cut --help! Gagh....thanks all...I'm going to go back to pretending I have a clue.
James
I actually thought you were trolling for a sec with that sed line. Is he trying to turn this into an animated gif?