Install Now
zeek-cut - parse Zeek logs
Contents
Description
Extracts the given columns from ASCII Zeek logs on standard input, and outputs them to standard output.
If no field names are given, all are selected. By default, zeek-cut does not include format header blocks
in the output.
Columns are specified as a list of space-separated field names. The order of field names given to zeek-cut determines the output order, which means zeek-cut can be used to reorder columns.
The ASCII Zeek logs read on standard input must have intact format header blocks because zeek-cut needs
this information to correctly interpret the log file format. In fact, zeek-cut can process the
concatenation of multiple ASCII log files that have different column layouts.
Environment
ZEEK_CUT_TIMEFMT
For time conversion option -d or -u, the format string can be specified by setting this
environment variable.
Examples
Output three columns and convert time values:
cat conn.log | zeek-cut -d ts id.orig_h id.orig_p
Output all columns and convert time values with a custom format string:
cat conn.log | zeek-cut -D "%Y-%m-%d %H:%M:%S"
Compressed logs must be uncompressed with another utility:
zcat conn.log.gz | zeek-cut
Name
zeek-cut - parse Zeek logs
Options
-c Include the first format header block in the output.
-C Include all format header blocks in the output.
-d Convert time values into human-readable format.
-D <fmt> Like -d, but specify format for time (see strftime(3) for syntax).
-F <ofs> Sets a different output field separator character.
-h Show help.
-n Print all fields except those specified.
-u Like -d, but print timestamps in UTC instead of local time.
-U <fmt> Like -D, but print timestamps in UTC instead of local time.
See Also
strftime(3)
Synopsis
zeek-cut [options] [columns]
PNG Icons