76 lines
2.3 KiB
Groff
76 lines
2.3 KiB
Groff
.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.46.4.
|
|
.TH ZEEK-CUT "1" "November 2014" "zeek-cut " "User Commands"
|
|
.SH NAME
|
|
zeek-cut \- parse Zeek logs
|
|
.SH SYNOPSIS
|
|
.B zeek\-cut
|
|
[\fIoptions\fR] [\fIcolumns\fR]
|
|
.SH DESCRIPTION
|
|
Extracts the given columns from ASCII Zeek logs on standard input, and outputs
|
|
them to standard output. If no field names are given, all are selected. By
|
|
default,
|
|
.B zeek\-cut
|
|
does not include format header blocks in the output.
|
|
.PP
|
|
Columns are specified as a list of space-separated field names. The order of
|
|
field names given to \fBzeek-cut\fR determines the output order,
|
|
which means \fBzeek-cut\fR can be used to reorder columns.
|
|
.PP
|
|
The ASCII Zeek logs read on standard input must have intact format header
|
|
blocks because \fBzeek-cut\fR needs this information to correctly interpret the
|
|
log file format. In fact, \fBzeek-cut\fR can process the concatenation of
|
|
multiple ASCII log files that have different column layouts.
|
|
.SH OPTIONS
|
|
.TP
|
|
\fB\-c\fR
|
|
Include the first format header block in the output.
|
|
.TP
|
|
\fB\-C\fR
|
|
Include all format header blocks in the output.
|
|
.TP
|
|
\fB-m\fR
|
|
Include the first format header block in the output in minimal view.
|
|
.TP
|
|
\fB-M\fR
|
|
Include all format header blocks in the output in minimal view.
|
|
.TP
|
|
\fB\-d\fR
|
|
Convert time values into human\-readable format.
|
|
.HP
|
|
\fB\-D\fR <fmt> Like \fB\-d\fR, but specify format for time (see strftime(3) for syntax).
|
|
.HP
|
|
\fB\-F\fR <ofs> Sets a different output field separator character.
|
|
.TP
|
|
\fB\-h\fR
|
|
Show help.
|
|
.TP
|
|
\fB\-n\fR
|
|
Print all fields except those specified.
|
|
.TP
|
|
\fB\-u\fR
|
|
Like \fB\-d\fR, but print timestamps in UTC instead of local time.
|
|
.HP
|
|
\fB\-U\fR <fmt> Like \fB\-D\fR, but print timestamps in UTC instead of local time.
|
|
.SH ENVIRONMENT
|
|
.TP
|
|
.B ZEEK_CUT_TIMEFMT
|
|
For time conversion option \fB\-d\fR or \fB\-u\fR, the format string can be
|
|
specified by setting this environment variable.
|
|
.SH EXAMPLES
|
|
Output three columns and convert time values:
|
|
.br
|
|
cat conn.log | zeek-cut -d ts id.orig_h id.orig_p
|
|
.PP
|
|
Output all columns and convert time values with a custom format string:
|
|
.br
|
|
cat conn.log | zeek-cut -D "%Y-%m-%d %H:%M:%S"
|
|
.PP
|
|
Compressed logs must be uncompressed with another utility:
|
|
.br
|
|
zcat conn.log.gz | zeek-cut
|
|
.SH SEE ALSO
|
|
strftime(3)
|
|
.SH AUTHOR
|
|
.B zeek-cut
|
|
was written by The Zeek Project <info@zeek.org>.
|