Renaming fields

Dave Edelman dedelman at iname.com
Sat Feb 23 22:06:17 EST 2013 

Why bother with sed. As long as you know the field order and the names that
you want to assign to each, just create your radium output file without any
column headers. As a one-time effort, create a file that has the column
names in csv format.

 

$ cat header.csv radiumOutput.csv > importTo$plunk.csv 

 

--Dave

 

From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu
[mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On
Behalf Of Craig Merchant
Sent: Saturday, February 23, 2013 7:37 PM
To: Carter Bullard
Cc: Argus (argus-info at lists.andrew.cmu.edu)
Subject: Re: [ARGUS] Renaming fields

 

We're using Splunk as our SEIM and flow analysis tool.  They have a "Common
Information Model" that standardizes a lot fields found  in different types
of event data (dest_port, dest_country, duration, etc.).  

 

We're having racluster connect to radium for five minutes and write the
results to a table that we can import into Splunk for analysis.  So, I've
got to be able to import that data and run all of my analysis queries within
five minutes.  There is a "rename" command in Splunk that I can use to
rename the fields, but my research has shown that command takes almost as
long to run as the data import (30-45 seconds).

 

The most efficient thing to do is probably just pipe the racluster output to
sed and rewrite the header row.  I was just curious if there was an easy,
one-time change I could make that would achieve the same effect.

 

Thx.

 

Craig

 

From: Carter Bullard [mailto:carter at qosient.com] 
Sent: Saturday, February 23, 2013 10:32 AM
To: Craig Merchant
Cc: Argus (argus-info at lists.andrew.cmu.edu)
Subject: Re: [ARGUS] Renaming fields

 

Hmmm, renaming the fields?  Not thinking that is a good thing.

What do you want to rename?

Carter

 

On Feb 22, 2013, at 8:55 PM, Craig Merchant <cmerchant at responsys.com> wrote:

 

Is it possible to modify the names of the fields that ra clients output?

 

Thx.  I hope you're feeling better, Carter!

 

Craig

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130223/c345defd/attachment.html>

More information about the argus mailing list