Convert argus records to CSV

Jesse Bowling jessebowling at gmail.com
Mon Jan 14 10:06:12 EST 2013


Not on-topic, but I found some other options that were useful for me to
output argus records in the specific format I needed to send to other
entities; in particular I found it is trivially easy to have all timestamps
converted to UTC regardless of what your local time zone is.

In your rarc file, set:

RA_TZ="UTC"

Setting the timestamp format is easy using:

RA_TIME_FORMAT
       For  ra()  like  clients,  the  format  that is used to print
timestamps, is based on the strftime() library call, with an extension to
print fractions of a sec using "%f".  The default is "%T.%f".  You can
       overide this default time format by setting this variable.  This
string must conform to the format specified in strftime().  Malformed
strings can generate interesting output, so be aware with this one, and
       don’t forget the ’.’ when doing fractions of a second.

       RA_TIME_FORMAT="%T.%f"

The strftime support means you can twiddle the format to whatever you desire

Limiting the fields that are output is also easily done using, for instance:

RA_FIELD_SPECIFIER="stime:24 saddr sport suser:64"

It's quite nice to have all these options configurable via conf file, as
you can essentially create 'report' formats that are called with the '-F'
option, as Carter mentions. The options are documented in the man page;
"man rarc" locally and online at
http://qosient.com/argus/man/man5/rarc.5.pdf ...

Cheers,

Jesse


On Sun, Jan 13, 2013 at 10:48 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Craig,
> All the ra* programs can do this, its just an output format.
> Just set the field separator to comma.
>
>    ra -S argus.data.source -c ,
>
> or you can set it in your rarc file using the RA_FIELD_DELIMITER.
> Here is the relevant text in the sample rarc file.
>
> # Most ra* clients are designed to print argus records out in ASCII,
> # with each client supporting its own output formats.  For ra() like
> # clients, this variable can overide the default field delimiter,
> # which are variable spans of space (' '), to be any character.
> # The most common are expected to be '\t' for tabs, and ',' for
> # comma separated fields.
> #
> RA_FIELD_DELIMITER=''
>
> Set that like this, in lets say /tmp/rarc if you don't want to do it in
> your ~/.rarc file.
>
> RA_FIELD_DELIMITER=','
>
> and then run ra like this:
>
>    ra -F /tmp/rarc -S argus.data.source
>
> Carter
>
>
>
> On Jan 13, 2013, at 10:38 PM, Craig Merchant <cmerchant at responsys.com>
> wrote:
>
> Has anyone in the community written a script or figured out a sed command
> that will output or convert argus data into a csv file format?****
> ** **
> Thanks!****
> ** **
> Craig****
>
>
>


-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130114/ffc2fb67/attachment.html>


More information about the argus mailing list