Unix epoch time for rasplit filenames

John Gerth gerth at graphics.stanford.edu
Mon Jan 14 15:18:10 EST 2013 

Any strftime() substitution can be used and  "%s" formatting value is unix epoch time in seconds, e.g.
   rasplit -M 10 -w /argus/archive/flow_%s  .....

John Gerth      gerth at graphics.stanford.edu  Gates 378   (650) 725-3273 fax 725-6949

On 1/14/2013 9:34 AM, Craig Merchant wrote:
> For the ra tools and radium that support using variables for output file name, is it possible for those tools to use a Unix epoch time value in a file
> name or is that limited to month/day/hour/minute…?
> 
>  
> 
> *From:*Jesse Bowling [mailto:jessebowling at gmail.com]
> *Sent:* Monday, January 14, 2013 7:06 AM
> *To:* Carter Bullard
> *Cc:* Craig Merchant; Argus (argus-info at lists.andrew.cmu.edu)
> *Subject:* Re: [ARGUS] Convert argus records to CSV
> 
>  
> 
> Not on-topic, but I found some other options that were useful for me to output argus records in the specific format I needed to send to other
> entities; in particular I found it is trivially easy to have all timestamps converted to UTC regardless of what your local time zone is.
> 
> In your rarc file, set:
> 
> RA_TZ="UTC"
> 
> Setting the timestamp format is easy using:
> 
> RA_TIME_FORMAT
>        For  ra()  like  clients,  the  format  that is used to print timestamps, is based on the strftime() library call, with an extension to print
> fractions of a sec using "%f".  The default is "%T.%f".  You can
>        overide this default time format by setting this variable.  This string must conform to the format specified in strftime().  Malformed strings
> can generate interesting output, so be aware with this one, and
>        don’t forget the ’.’ when doing fractions of a second.
> 
>        RA_TIME_FORMAT="%T.%f"
> 
> The strftime support means you can twiddle the format to whatever you desire
> 
> Limiting the fields that are output is also easily done using, for instance:
> 
> RA_FIELD_SPECIFIER="stime:24 saddr sport suser:64"
> 
> It's quite nice to have all these options configurable via conf file, as you can essentially create 'report' formats that are called with the '-F'
> option, as Carter mentions. The options are documented in the man page; "man rarc" locally and online at http://qosient.com/argus/man/man5/rarc.5.pdf ...
> 
> Cheers,
> 
> Jesse
> 
> On Sun, Jan 13, 2013 at 10:48 PM, Carter Bullard <carter at qosient.com <mailto:carter at qosient.com>> wrote:
> 
> Hey Craig,
> 
> All the ra* programs can do this, its just an output format.
> 
> Just set the field separator to comma.
> 
>  
> 
>    ra -S argus.data.source -c ,
> 
>  
> 
> or you can set it in your rarc file using the RA_FIELD_DELIMITER.
> 
> Here is the relevant text in the sample rarc file.
> 
>  
> 
> # Most ra* clients are designed to print argus records out in ASCII,
> 
> # with each client supporting its own output formats.  For ra() like
> 
> # clients, this variable can overide the default field delimiter,
> 
> # which are variable spans of space (' '), to be any character.
> 
> # The most common are expected to be '\t' for tabs, and ',' for
> 
> # comma separated fields.
> 
> #
> 
> RA_FIELD_DELIMITER=''
> 
>  
> 
> Set that like this, in lets say /tmp/rarc if you don't want to do it in your ~/.rarc file.
> 
>  
> 
> RA_FIELD_DELIMITER=','
> 
>  
> 
> and then run ra like this:
> 
>  
> 
>    ra -F /tmp/rarc -S argus.data.source
> 
>  
> 
> Carter
> 
>  
> 
>  
> 
>  
> 
> On Jan 13, 2013, at 10:38 PM, Craig Merchant <cmerchant at responsys.com <mailto:cmerchant at responsys.com>> wrote:
> 
> 
> 
> Has anyone in the community written a script or figured out a sed command that will output or convert argus data into a csv file format?
> 
>  
> 
> Thanks!
> 
>  
> 
> Craig
> 
>  
> 
> 
> 
> 
> -- 
> Jesse Bowling
>

More information about the argus mailing list