Takes a array of time stamped items(largely meant for use with files) returns ones that include the specified time range.
Originally developed for use with Suricata conditional PCAPs and Daemonlogger.
use File::Find::IncludesTimeRange;
use Time::Piece;
use Data::Dumper;
my @files=(
'daemonlogger.1677468390.pcap',
'daemonlogger.1677468511.pcap',
'daemonlogger.1677468632.pcap',
'daemonlogger.1677468753.pcap',
'daemonlogger.1677468874.pcap',
'daemonlogger.1677468995.pcap',
'daemonlogger.1677469116.pcap',
'daemonlogger.1677469237.pcap',
'daemonlogger.1677469358.pcap',
'daemonlogger.1677469479.pcap',
'daemonlogger.1677469600.pcap',
'daemonlogger.1677469721.pcap',
);
print Dumper(\@files);
my $start=Time::Piece->strptime('1677468511', '%s');
my $end=Time::Piece->strptime( '1677468833', '%s');
my $found=File::Find::IncludesTimeRange->find(
items=>\@files,
start=>$start,
end=>$end,
regex=>'(?<timestamp>\d\d\d\d\d\d+)(\.pcap|(?<subsec>\.\d+)\.pcap)$',
strptime=>'%s',
);
print Dumper($found);Searches through a list of items , finds the ones that appear to be timestamped. It will then sort the found time stamps and return the ones that include the specified time periods.
There following options are taken.
- items :: A array ref of items to examine.
- start :: A Time::Piece object set to the start time.
- end :: A Time::Piece object set to the end time.
- regex :: A regex to use for matching the files. Requires uses of the named
group 'timestamp' for capturing the timestamp. If it includes micro
seconds in it, since Time::Piece->strptime does not handle those,
those can be captured via the group 'subsec'. They will then be
appended to to the epoch time of any parsed timestamp for sorting
purposes.
- Default :: (?<timestamp>\d\d\d\d\d\d+)(\.pcap|(?<subsec>\.\d+)\.pcap)$
- strptime :: The format for use with L<Time::Piece>->strptime.
- Default :: %s
- ts_is_unixtime :: Skips using Time::Piece and strptime as it is
just a simple numeric test. For this subsecs
should be included in the capture group
'timestamp' for the regex.