Reviewing old logs with new scripts?

Hey all,
Apologies if this is not the place to ask this but I’ve got intel feeds working (criticalstack) for the past few days and was wondering if it is possible to interrogate existing logs with the new intel using bro-cut ( I have months worth where there was a clear breach due to network misconfiguration?
I guess it is possible, but would require more a shell based diff or something? I know you can replay packet dumps but it would appear not logs?

Also, haven’t seen this mentioned anywhere - with bro-cut what globbing / regular expression options are there? eg![].

Thanx Pel

You can see a list of all bro-cut options by running
bro-cut -h

It should work with all ASCII Bro logs that contain the header lines
(lines starting with "#"). If your old logs are compressed then
you will need to do something like this:
zcat conn.log.gz | bro-cut