zeek-cut - Man Page

zeek-cut [options] [columns]

Extracts the given columns from ASCII Zeek logs on standard input, and outputs them to standard output.  If no field names are given, all are selected. By default, zeek-cut does not include format header blocks in the output.

Columns are specified as a list of space-separated field names.  The order of field names given to zeek-cut determines the output order, which means zeek-cut can be used to reorder columns.

The ASCII Zeek logs read on standard input must have intact format header blocks because zeek-cut needs this information to correctly interpret the log file format.  In fact, zeek-cut can process the concatenation of multiple ASCII log files that have different column layouts.

-c

Include the first format header block in the output.

-C

Include all format header blocks in the output.

-m

Include the first format header block in the output in minimal view.

-M

Include all format header blocks in the output in minimal view.

-d

Convert time values into human-readable format.

-D <fmt> Like -d

, but specify format for time (see strftime(3) for syntax).

-F <ofs> Sets a different output field separator character.

-h

Show help.

-n

Print all fields except those specified.

-u

Like -d, but print timestamps in UTC instead of local time.

-U <fmt> Like -D

, but print timestamps in UTC instead of local time.

ZEEK_CUT_TIMEFMT

For time conversion option -d or -u, the format string can be specified by setting this environment variable.

Output three columns and convert time values:
cat conn.log | zeek-cut -d ts id.orig_h id.orig_p

Output all columns and convert time values with a custom format string:
cat conn.log | zeek-cut -D "%Y-%m-%d %H:%M:%S"

Compressed logs must be uncompressed with another utility:
zcat conn.log.gz | zeek-cut

strftime(3)

zeek-cut was written by The Zeek Project <info@zeek.org>.

zeek(8).