Convert argus records to CSV

Craig Merchant cmerchant at responsys.com
Mon Jan 14 12:34:12 EST 2013


For the ra tools and radium that support using variables for output file name, is it possible for those tools to use a Unix epoch time value in a file name or is that limited to month/day/hour/minute…?

From: Jesse Bowling [mailto:jessebowling at gmail.com]
Sent: Monday, January 14, 2013 7:06 AM
To: Carter Bullard
Cc: Craig Merchant; Argus (argus-info at lists.andrew.cmu.edu)
Subject: Re: [ARGUS] Convert argus records to CSV

Not on-topic, but I found some other options that were useful for me to output argus records in the specific format I needed to send to other entities; in particular I found it is trivially easy to have all timestamps converted to UTC regardless of what your local time zone is.

In your rarc file, set:

RA_TZ="UTC"

Setting the timestamp format is easy using:

RA_TIME_FORMAT
       For  ra()  like  clients,  the  format  that is used to print timestamps, is based on the strftime() library call, with an extension to print fractions of a sec using "%f".  The default is "%T.%f".  You can
       overide this default time format by setting this variable.  This string must conform to the format specified in strftime().  Malformed strings can generate interesting output, so be aware with this one, and
       don’t forget the ’.’ when doing fractions of a second.

       RA_TIME_FORMAT="%T.%f"

The strftime support means you can twiddle the format to whatever you desire

Limiting the fields that are output is also easily done using, for instance:

RA_FIELD_SPECIFIER="stime:24 saddr sport suser:64"

It's quite nice to have all these options configurable via conf file, as you can essentially create 'report' formats that are called with the '-F' option, as Carter mentions. The options are documented in the man page; "man rarc" locally and online at http://qosient.com/argus/man/man5/rarc.5.pdf ...

Cheers,

Jesse

On Sun, Jan 13, 2013 at 10:48 PM, Carter Bullard <carter at qosient.com<mailto:carter at qosient.com>> wrote:
Hey Craig,
All the ra* programs can do this, its just an output format.
Just set the field separator to comma.

   ra -S argus.data.source -c ,

or you can set it in your rarc file using the RA_FIELD_DELIMITER.
Here is the relevant text in the sample rarc file.

# Most ra* clients are designed to print argus records out in ASCII,
# with each client supporting its own output formats.  For ra() like
# clients, this variable can overide the default field delimiter,
# which are variable spans of space (' '), to be any character.
# The most common are expected to be '\t' for tabs, and ',' for
# comma separated fields.
#
RA_FIELD_DELIMITER=''

Set that like this, in lets say /tmp/rarc if you don't want to do it in your ~/.rarc file.

RA_FIELD_DELIMITER=','

and then run ra like this:

   ra -F /tmp/rarc -S argus.data.source

Carter



On Jan 13, 2013, at 10:38 PM, Craig Merchant <cmerchant at responsys.com<mailto:cmerchant at responsys.com>> wrote:


Has anyone in the community written a script or figured out a sed command that will output or convert argus data into a csv file format?

Thanks!

Craig




--
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130114/763f2413/attachment.html>


More information about the argus mailing list