NAME

zeek-cut - parse Zeek logs

SYNOPSIS

zeek-cut [options] [columns]

DESCRIPTION

Extracts the given columns from ASCII Zeek logs on standard input, and outputs them to standard output. If no field names are given, all are selected. By default, zeek-cut does not include format header blocks in the output.

Columns are specified as a list of space-separated field names. The order of field names given to zeek-cut determines the output order, which means zeek-cut can be used to reorder columns.

The ASCII Zeek logs read on standard input must have intact format header blocks because zeek-cut needs this information to correctly interpret the log file format. In fact, zeek-cut can process the concatenation of multiple ASCII log files that have different column layouts.

OPTIONS

-c: Include the first format header block in the output.
-C: Include all format header blocks in the output.
-d: Convert time values into human-readable format.

-D <fmt> Like -d, but specify format for time (see strftime(3) for syntax).

-F <ofs> Sets a different output field separator character.

-h: Show help.
-n: Print all fields except those specified.
-u: Like -d, but print timestamps in UTC instead of local time.

-U <fmt> Like -D, but print timestamps in UTC instead of local time.

ENVIRONMENT

ZEEK_CUT_TIMEFMT: For time conversion option -d or -u, the format string can be specified by setting this environment variable.

EXAMPLES

Output three columns and convert time values:
cat conn.log | zeek-cut -d ts id.orig_h id.orig_p

Output all columns and convert time values with a custom format string:
cat conn.log | zeek-cut -D "%Y-%m-%d %H:%M:%S"

Compressed logs must be uncompressed with another utility:
zcat conn.log.gz | zeek-cut

AUTHOR

zeek-cut was written by The Zeek Project <info@zeek.org>.