The Moose and Squirrel Files

August 27, 2008

Writing Filters in VBScript

Filed under: Code — Tags: , — networknerd @ 3:18 pm

The original philosophy of unix was to create a set of tools that do one job well and that could be chained together in a pipeline.  Each program was a filter, and it’s a powerful concept once you get your head around it.  Unfortunately that concept didn’t really make it into windows.

All is not lost, however, because we can easily create our own custom filters in vbscript on almost any windows box. No C compiler required; no downloads of cygwin or the MKS Toolkit. When using cscript we can read from STDIN, perform some manipulations and write to STDOUT.

The example below uses this technique to convert logfiles exported from the checkpoint log viewer into CSV format.  By using the filter technique the data can be analysed and converted in one hit by piping the transformed data directly into Microsoft’s logparser utility.

Assuming our filter is called fwlogconv.vbs and the log file is fwlog.txt, the command line to perform this operation would be (watch the line wrap)

cscript //nologo fwlogconv.vbs <fwlog.txt | logparser.exe “select source, count(source) as drops from stdin group by source order by drops” -i:csv -q:on


type fwlog.txt | cscript //nologo fwlogconv.vbs | logparser.exe “select source, count(source) as drops from stdin group by source order by drops” -i:csv -q:on

The code for fwlogconv.vbs is shown below. The regular expression is documented in the script, with the exception of the \x22.  This is the hex equivalent of a double quote character. If your not familiar with regular expressions I recommend you take a look at Jeffrey Friedl’s book Mastering Regular Expressions.

option explicit
dim re 'as regexp
dim strinput

'Converts FW-1 log export to CSV format for use with logparser 2.2
'fw1 log export gives fields enclosed in double quotes separated by a single space
' regular expression to match is "(\x22[^\x22]*\x22)\s(?=\x22)"
' ( Start of field capture
'    \x22 field starts with a double quote
'        [^\x22]* and can contain zero or more characters that aren't double quotes
'    \x22 field ends with a double quote
' ) end of field capture
' \s a single space separates fields
' (?=\x22) positive lookahead for double quote to ensure the next character is the
' start of a new field and that we only have a single space. Also ensures that the
' last field can't be matched (since \s matches any whitespace including \n and \r)

set re = new regexp = True
re.multiline = False
re.pattern = "(\x22[^\x22]*\x22)\s(?=\x22)"
do while not wscript.stdin.atendofstream
  strinput = wscript.stdin.readline()
  wscript.echo re.replace(strinput, "$1,")

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

%d bloggers like this: