Convert argus records to CSV

Carter Bullard carter at qosient.com
Mon Jan 14 12:41:18 EST 2013


Hey Craig,
They are just strings, so if you want to use the "-u" option to print Unix Time,
then you will use " $stime " in the pathname to get the structure you want.
And you can mix if you want.

   rasplit -u -w /path/to/archive/%Y/%m/argus.\$stime.out -M time 1h

shoud work fine.  If not, yell, and we'll make it work.
Play around with it, it really is very very flexible.

Carter

On Jan 14, 2013, at 12:34 PM, Craig Merchant <cmerchant at responsys.com> wrote:

> For the ra tools and radium that support using variables for output file name, is it possible for those tools to use a Unix epoch time value in a file name or is that limited to month/day/hour/minute…?
>  
> From: Jesse Bowling [mailto:jessebowling at gmail.com] 
> Sent: Monday, January 14, 2013 7:06 AM
> To: Carter Bullard
> Cc: Craig Merchant; Argus (argus-info at lists.andrew.cmu.edu)
> Subject: Re: [ARGUS] Convert argus records to CSV
>  
> Not on-topic, but I found some other options that were useful for me to output argus records in the specific format I needed to send to other entities; in particular I found it is trivially easy to have all timestamps converted to UTC regardless of what your local time zone is.
> 
> In your rarc file, set:
> 
> RA_TZ="UTC"
> 
> Setting the timestamp format is easy using:
> 
> RA_TIME_FORMAT
>        For  ra()  like  clients,  the  format  that is used to print timestamps, is based on the strftime() library call, with an extension to print fractions of a sec using "%f".  The default is "%T.%f".  You can
>        overide this default time format by setting this variable.  This string must conform to the format specified in strftime().  Malformed strings can generate interesting output, so be aware with this one, and
>        don’t forget the ’.’ when doing fractions of a second.
> 
>        RA_TIME_FORMAT="%T.%f"
> 
> The strftime support means you can twiddle the format to whatever you desire
> 
> Limiting the fields that are output is also easily done using, for instance:
> 
> RA_FIELD_SPECIFIER="stime:24 saddr sport suser:64"
> 
> It's quite nice to have all these options configurable via conf file, as you can essentially create 'report' formats that are called with the '-F' option, as Carter mentions. The options are documented in the man page; "man rarc" locally and online at http://qosient.com/argus/man/man5/rarc.5.pdf ...
> 
> Cheers,
> 
> Jesse
> 
> 
> On Sun, Jan 13, 2013 at 10:48 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Craig,
> All the ra* programs can do this, its just an output format.
> Just set the field separator to comma.
>  
>    ra -S argus.data.source -c ,
>  
> or you can set it in your rarc file using the RA_FIELD_DELIMITER.
> Here is the relevant text in the sample rarc file.
>  
> # Most ra* clients are designed to print argus records out in ASCII,
> # with each client supporting its own output formats.  For ra() like
> # clients, this variable can overide the default field delimiter,
> # which are variable spans of space (' '), to be any character.
> # The most common are expected to be '\t' for tabs, and ',' for
> # comma separated fields.
> #
> RA_FIELD_DELIMITER=''
>  
> Set that like this, in lets say /tmp/rarc if you don't want to do it in your ~/.rarc file.
>  
> RA_FIELD_DELIMITER=','
>  
> and then run ra like this:
>  
>    ra -F /tmp/rarc -S argus.data.source
>  
> Carter
>  
>  
>  
> On Jan 13, 2013, at 10:38 PM, Craig Merchant <cmerchant at responsys.com> wrote:
> 
> 
> Has anyone in the community written a script or figured out a sed command that will output or convert argus data into a csv file format?
>  
> Thanks!
>  
> Craig
>  
> 
> 
> 
> -- 
> Jesse Bowling
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130114/f61c6228/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130114/f61c6228/attachment.bin>


More information about the argus mailing list