> On Aug 12, 2016, at 2:14 PM, Aashish Sharma <[email protected]> wrote: > > May be try: ftp://ftp.ee.lbl.gov/cf-1.2.5.tar.gz > > eg: cf conn.log | less >
Yeah.. cf should be a few times faster than bro-cut for busy log files, especially if the only thing you are doing is converting the timestamp. It has an optimization that bro-cut doesn't have yet for avoiding converting timestamps if the current one is the same second as the previous one. If you are using both tools though and only extracting a few fields, piping bro-cut to cf should be faster than piping cf to bro-cut. I'm not sure why converting the timestamp is so important though. What are you doing with the data once you convert the timestamps? -- - Justin Azoff _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
