A tool designed for rapid CSV file processing and filtering, specifically designed for log analysis.
Note
This project is in the early stages of development. Please be aware that frequent changes and updates are likely to occur.
$ sscsv {{initializer}} {{Arguments}} - {{chainable}} {{Arguments}} - {{chainable}} {{Arguments}} - {{finalizer}} {{Arguments}}
e.g. Below is an example of reading a CSV file, extracting rows that contain 4624 in the EventID column, and displaying the top 3 rows them sorted by the Timestamp column.
$ sscsv load Security.csv - isin 'Event ID' 4624 - sort 'Date and Time' - head 3
2024-06-26T17:29:19+0000 [DEBUG] 1 files are loaded. Security.csv
2024-06-26T17:29:19+0000 [DEBUG] filter condition: 4624 in Event ID
2024-06-26T17:29:19+0000 [DEBUG] sort by Date and Time (asc).
2024-06-26T17:29:19+0000 [DEBUG] heading 3 lines.
shape: (3, 5)
βββββββββββββββ¬ββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββ¬βββββββββββ¬ββββββββββββββββ
β Level β Date and Time β Source β Event ID β Task Category β
β --- β --- β --- β --- β --- β
β str β str β str β i64 β str β
βββββββββββββββͺββββββββββββββββββββββββͺββββββββββββββββββββββββββββββββββͺβββββββββββͺββββββββββββββββ‘
β Information β 10/6/2016 01:00:55 PM β Microsoft-Windows-Security-Audβ¦ β 4624 β Logon β
β Information β 10/6/2016 01:04:05 PM β Microsoft-Windows-Security-Audβ¦ β 4624 β Logon β
β Information β 10/6/2016 01:04:10 PM β Microsoft-Windows-Security-Audβ¦ β 4624 β Logon β
βββββββββββββββ΄ββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββ΄βββββββββββ΄ββββββββββββββββ
This tool processes csv by connecting three processes: initializer, chainable, and finalizer.
For example, the initializer reads in the file, goes through multiple chainable processing steps, and then outputs the file using the finalizer.
Also, each process is explicitly separated from the others by "-".
Loads the specified CSV files.
Arguments:
path*: str
examples
$ sscsv load ./Security.evtx
$ sscsv load ./logs/*.evtx
Displays the specified columns.
Arguments:
columns: Union[str, tuple[str]]
examples
$ sscsv load ./Security.evtx - select 'Event ID'
$ sscsv load ./Security.evtx - select "Date and Time-Event ID"
$ sscsv load ./Security.evtx - select "'Date and Time,Event ID'"
Displays rows that contain the specified values.
Arguments:
colname: str
values: list
examples
$ sscsv load ./Security.evtx - isin 'Event ID' 4624,4634
Displays rows that contain the specified string.
Arguments:
colname: str
regex: str
examples
$ sscsv load ./Security.evtx - contains 'Date and Time' '10/6/2016'
Displays the first specified number of rows of the data.
Options:
number: int = 5
examples
$ sscsv load ./Security.evtx - head 10
Displays the last specified number of rows of the data.
Options:
number: int = 5
examples
$ sscsv load ./Security.evtx - tail 10
Sorts the data by the values of the specified column.
Arguments:
columns: str
Options:
desc: bool = False
examples
$ sscsv load ./Security.evtx - sort 'Date and Time'
Changes the timezone of the specified date column.
Arguments:
columns: str
Options:
timezone_from: str = "UTC"
timezone_to: str = "Asia/Tokyo"
new_colname: str = None
examples
$ sscsv load ./Security.evtx - changetz 'Date and Time' --timezone_from=UTC --timezone_to=Asia/Tokyo --new_colname='Date and Time(JST)'
Displays the column names of the data.
Options:
plain: bool = False
examples
$ sscsv load ./Security.evtx - headers
2024-06-30T13:17:53+0000 [DEBUG] 1 files are loaded. Security.csv
ββββββ³ββββββββββββββββ
β # β Column Name β
β‘βββββββββββββββββββββ©
β 00 β Level β
β 01 β Date and Time β
β 02 β Source β
β 03 β Event ID β
β 04 β Task Category β
ββββββ΄ββββββββββββββββ
Displays the statistical information of the data.
examples
$ sscsv load ./Security.evtx - stats
2024-06-30T13:25:53+0000 [DEBUG] 1 files are loaded. Security.csv
shape: (9, 6)
ββββββββββββββ¬ββββββββββββββ¬ββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββ¬ββββββββββββββ¬ββββββββββββββββββββββββββ
β statistic β Level β Date and Time β Source β Event ID β Task Category β
β --- β --- β --- β --- β --- β --- β
β str β str β str β str β f64 β str β
ββββββββββββββͺββββββββββββββͺββββββββββββββββββββββββͺββββββββββββββββββββββββββββββββββͺββββββββββββββͺββββββββββββββββββββββββββ‘
β count β 62031 β 62031 β 62031 β 62031.0 β 62031 β
β null_count β 0 β 0 β 0 β 0.0 β 0 β
β mean β null β null β null β 5058.625897 β null β
β std β null β null β null β 199.775419 β null β
β min β Information β 10/6/2016 01:00:35 PM β Microsoft-Windows-Eventlog β 1102.0 β Credential Validation β
β 25% β null β null β null β 5152.0 β null β
β 50% β null β null β null β 5156.0 β null β
β 75% β null β null β null β 5157.0 β null β
β max β Information β 10/7/2016 12:59:59 AM β Microsoft-Windows-Security-Audβ¦ β 5158.0 β User Account Management β
ββββββββββββββ΄ββββββββββββββ΄ββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββββ΄ββββββββββββββ΄ββββββββββββββββββββββββββ
Displays the data processing query.
examples
sscsv load Security.csv - showquery
2024-06-30T13:26:54+0000 [DEBUG] 1 files are loaded. Security.csv
naive plan: (run LazyFrame.explain(optimized=True) to see the optimized plan)
Csv SCAN Security.csv
PROJECT */5 COLUMNS
Outputs the processing results to the standard output.
examples
$ sscsv load Security.csv - show
2024-06-30T13:27:34+0000 [DEBUG] 1 files are loaded. Security.csv
2024-06-30T13:27:34+0000 [DEBUG] heading 5 lines.
Level,Date and Time,Source,Event ID,Task Category
Information,10/7/2016 06:38:24 PM,Microsoft-Windows-Security-Auditing,4658,File System
Information,10/7/2016 06:38:24 PM,Microsoft-Windows-Security-Auditing,4656,File System
Information,10/7/2016 06:38:24 PM,Microsoft-Windows-Security-Auditing,4658,File System
Information,10/7/2016 06:38:24 PM,Microsoft-Windows-Security-Auditing,4656,File System
Information,10/7/2016 06:38:24 PM,Microsoft-Windows-Security-Auditing,4658,File System
Outputs the processing results to a CSV file.
Options:
path: str = yyyymmdd-HHMMSS_{QUERY}.csv
examples
$ sscsv load Security.csv - dump ./Security-sscsv.csv
- CSV cache (.pkl)
- Filtering based on specific conditions (OR, AND conditions)
- Grouping for operations like count
- Joining with other tables
- Config Batch
- Export Config
$ pip install sscsv
The version compiled into a binary using Nuitka is also available for use.
$ chmod +x ./sscsv
$ ./sscsv {{options...}}
> sscsv.exe {{options...}}
snip-snap-csv is released under the MIT License.