Running racluster but with a time frame

Hi all,

I need to run the following command "racluster -r
argus.2014.08.19.10.30.01.0.gz -s stime daddr -s stime saddr daddr
trans" but to display only events from 10:00am to 10:15am.

How can I accomplish this?

Thanks
Monah

Hi Monah,

You probably meant to email the argus listserv, or possibly the security onion listserv...But since you asked, you should be able to:

racluster -r argus.2014.08.19.10.30.01.0.gz -s stime daddr -s stime saddr daddr trans -t 10h+15m

Much more detail can be found in the man page for ra...It’s quite a flexible option.

Cheers,

Jesse