Renaming fields

Carter Bullard carter at qosient.com
Sat Feb 23 23:07:07 EST 2013 

Hey Craig,
You may want to write the records into an argus archive file, and at the end of the time period run your racluster analytics, or run rabins(), connected to your real time data source,  to generate 5 min structured output, that was one of the tasks it was designed to do.

The analytics can change the names of the fields if you have to do that.  We have many perl examples that can do that type of conversion.  But a shell program can eat your first line of output and write whatever you want.  awk() is also very good at that.

Carter

On Feb 23, 2013, at 7:36 PM, Craig Merchant <cmerchant at responsys.com> wrote:

> We’re using Splunk as our SEIM and flow analysis tool.  They have a “Common Information Model” that standardizes a lot fields found  in different types of event  data (dest_port, dest_country, duration, etc.). 
>  
> We’re having racluster connect to radium for five minutes and write the results to a table that we can import into Splunk for analysis.  So, I’ve got to be able to import that data and run all of my analysis queries within five minutes.  There is a “rename” command in Splunk that I can use to rename the fields, but my research has shown that command takes almost as long to run as the data import (30-45 seconds).
>  
> The most efficient thing to do is probably just pipe the racluster output to sed and rewrite the header row.  I was just curious if there was an easy, one-time change I could make that would achieve the same effect.
>  
> Thx.
>  
> Craig
>  
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Saturday, February 23, 2013 10:32 AM
> To: Craig Merchant
> Cc: Argus (argus-info at lists.andrew.cmu.edu)
> Subject: Re: [ARGUS] Renaming fields
>  
> Hmmm, renaming the fields?  Not thinking that is a good thing.
> What do you want to rename?
> Carter
>  
> On Feb 22, 2013, at 8:55 PM, Craig Merchant <cmerchant at responsys.com> wrote:
> 
> 
> Is it possible to modify the names of the fields that ra clients output?
>  
> Thx.  I hope you’re feeling better, Carter!
>  
> Craig
>  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130223/dd590fa6/attachment.html>

More information about the argus mailing list