Hal Pomeranzjq is super useful, once somebody explains the basics to you. Here I am explaining the basics in a way that's applicable for all you DFIR types.
Nullstring 🏴☠️@hal_pomeranz jq is my boyfriend
@0x00string jq is in my "parsing hall of fame" along with awk and tshark.
Mattias Wadman@hal_pomeranz @0x00string tried fq? i know some ppl have used it for forensic related things
@wader @0x00string Interesting. I’ve not had a use case for that, but it looks cool.
@hal_pomeranz @0x00string btw one of my favorite things in jq that might be useful for you is construct/destruct shorthands, ex:
.. | {a, $b} is same as {a: .a, b: $b}
.. | . as {$a} is same as {a: $a}
destruct also works with arrays/nested:
.. | . as [$first, {b: $second_inside_object}]
practical example:
$ jq -c '{_HOSTNAME, MESSAGE}' journal.json
.. | {a, $b} is same as {a: .a, b: $b}
.. | . as {$a} is same as {a: $a}
destruct also works with arrays/nested:
.. | . as [$first, {b: $second_inside_object}]
practical example:
$ jq -c '{_HOSTNAME, MESSAGE}' journal.json
viq@wader @hal_pomeranz @0x00string could I ask for a link? I'm failing to find it.
Edit: "fq jq" finds https://github.com/wader/fq
Edit: "fq jq" finds https://github.com/wader/fq