Key/value pair output
David
lists at edeca.net
Tue Apr 17 11:50:16 EDT 2012
Hi,
I have started looking at feeding argus data into Splunk. I know that
others have done this and have seen a few examples. It seems that CSV
is one way to go, but that requires teaching Splunk about the column
names (yes, there are workarounds).
Would it be possible for another output mode, in key/value pair format?
Something like the following:
StartTime=01:23:45.000000|Flgs=g|Proto=tcp|SrcAddr=1.2.3.4 ...
This is quite verbose, but is slightly more complete than CSV and feeds
into other tools (especially Splunk) very well. As long as none of the
fields contain an equals or pipe this shouldn't be a hard change to
make.
Is it worth writing a simple patch for?
David
More information about the argus
mailing list