Changing separator

James_Lay · October 24, 2013, 3:10pm

So...I'm almost certain that there was a way to change from the tab character, to comma (I thought), but for the life of me I can't seem to find it. Been working with logstash and currently messages come through as:

1382627138.211512\tCQ74U23HZlcab0LNnh\t192.168.1.3\t64079\t224.0.0.1\t8612\tudp\t-\t-\t-\t-\tS0\tT\t0\tD\t1\t44\t0\t0\t(empty)

Which is kind of painful for matching. Any quick pointers on how to do this? Thank you.

James

johanna · October 24, 2013, 3:15pm

Hi,

you can redefine Log::separator. See http://www.bro.org/sphinx-git/scripts/base/frameworks/logging/main.html

Johanna

Siwek_Jon · October 24, 2013, 3:25pm

http://bro.org/sphinx-git/scripts/base/frameworks/logging/writers/ascii.html#id-LogAscii::separator

Note that commas are already used for LogAscii::set_separator, but you can change that, too.

- Jon

James_Lay · October 24, 2013, 3:41pm

Thanks for the responses gents...every little bit helps.

James

Topic		Replies	Views
Log File Modifications Zeek	3	93	May 6, 2022
#558: /topic/gilbert/ascii-header Development development	1	64	May 6, 2022
Log filtering a field re-ordering Zeek	1	50	May 6, 2022
#558: /topic/gilbert/ascii-header Development development	2	53	May 6, 2022
#976: regex change in syslog-analyzer.pac Development development	1	73	May 6, 2022

Changing separator

Related Topics