Key/value pair output
Scott A. McIntyre
s.a.mcintyre at gmail.com
Tue Apr 17 19:41:48 EDT 2012
Hi David,
> I have started looking at feeding argus data into Splunk. I know that others have done this and have seen a few examples. It seems that CSV is one way to go, but that requires teaching Splunk about the column names (yes, there are workarounds).
>
> Would it be possible for another output mode, in key/value pair format? Something like the following:
>
> StartTime=01:23:45.000000|Flgs=g|Proto=tcp|SrcAddr=1.2.3.4 ...
>
> This is quite verbose, but is slightly more complete than CSV and feeds into other tools (especially Splunk) very well. As long as none of the fields contain an equals or pipe this shouldn't be a hard change to make.
For what it's worth, my solution to this is a transforms.conf entry of:
[argus-tsv]
FIELDS = "StartTime", "Proto", "SrcAddr", "Sport", "Dir", "DstAddr", "Dport", "TotPkts", "TotBytes", "State", "srcUdata", "dstUdata"
DELIMS = "\t"
And in props.conf:
[argus-tab]
CHECK_FOR_HEADER = TRUE
REPORT-argus = argus-tsv
And I run regular ra(1) queries with:
ra -n -R /argus -c \t -L0 -s -flgs +suser:512 +duser:512 - > argus.tsv
Now, I do this via a series of shell scripts and escape things and use time/date parsing a bit, but, it's worked fine for years...
Regards,
Scott
More information about the argus
mailing list