Key/value pair output
Carter Bullard
carter at qosient.com
Tue Apr 17 11:55:11 EDT 2012
Hey David,
Can you see if the "-M xml" option provides the key value pairs you're looking for?
All ra* programs (get argus-clients-3.0.6.tar.gz from here: http://qosient.com/argus/dev/argus-clients-latest.tar.gz).
If the actual XML gets in the way, you can strip out the delimiters and the
banners pretty easily.
Carter
On Apr 17, 2012, at 11:50 AM, David wrote:
> Hi,
>
> I have started looking at feeding argus data into Splunk. I know that others have done this and have seen a few examples. It seems that CSV is one way to go, but that requires teaching Splunk about the column names (yes, there are workarounds).
>
> Would it be possible for another output mode, in key/value pair format? Something like the following:
>
> StartTime=01:23:45.000000|Flgs=g|Proto=tcp|SrcAddr=1.2.3.4 ...
>
> This is quite verbose, but is slightly more complete than CSV and feeds into other tools (especially Splunk) very well. As long as none of the fields contain an equals or pipe this shouldn't be a hard change to make.
>
> Is it worth writing a simple patch for?
>
> David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120417/37316bff/attachment.html>
More information about the argus
mailing list