For Programmers: Free Programming Magazines  


Home > Archive > AWK > January 2006 > Re: Need to Parse Log Files That Are Spread Across Two Lines Per









You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

 

Author Re: Need to Parse Log Files That Are Spread Across Two Lines Per
Ed Morton

2006-01-30, 6:56 pm

Vadmin wrote:
> Hello:
>
> I am at a loss, I have a logfile which I wish to use to create a report
> for, but this particuliar logfile contains two lines for each entry
> made. The following is a snippet of the logfile:
>
> User=unknown, Auth=0 [None], Server=192.168.1.2:8080, Time=01/29/2006
> 06:00:00, Duration=18:01:02, Transfer=5528910
> Source=192.168.200.200:2142, Destination=10.10.10.1:3222,
> Connection=TCP Proxy, ACL=default:2
>
> User=unknown, Auth=0 [None], Server=192.168.1.3:8080, Time=01/29/2006
> 01:23:36, Duration=22:37:26, Transfer=7273894
> Source=192.168.200.122:1467, Destination=10.10.12.3:3334,
> Connection=TCP Proxy, ACL=default:2
>
> As you can see, each log entry starts off with "User=", the second line
> for the same logged event with "Source="

awk works on records, not lines. The fact that the default record
separator is the end of line character doesn't mean it HAS to be. In
this case, you appear to have a blank line between each 2-line record,
so we'll just set the RS to indicate a blank line. In gawk that's just
setting the RS to an empty string:

awk -v RS= ...

> What I am looking to achieve is to generate a report for each time
> "Server=192.168.1.3" is found on line 1, then print out only
> "Source:IP_ADDRESS Destination: IP_ADDRESS Port: Port_Number" The
> port number in this case is what follows after the actual IP address,
> i.e. 10.10.12.3:3334, where 3334 is the port number and 10.10.12.3 is
> the Destination IP address.
>

So, we're looking for blank-line-separated records ( -v RS= ) where the
fields are apparently separated by a comma followed by a space or by a
newline character ( -F'(, |\n)' ), and the 3rd field has to start with
"Server=192.168.1.3:". That'd be this:

awk -v RS= -F'(, |\n)' '$3 ~ /^Server=192.168.1.3:/' file

To then print only the information you care about is just this:

awk -v RS= -F'(, |\n)' '
$3 ~ /^Server=192.168.1.3:/ {
split($7,s,"[=:]")
split($8,d,"[=:]")
printf "%s: %s %s: %s Port: %s\n", s[1],s[2],d[1],d[2],d[3]
}' file

Regards,

Ed.
Sponsored Links







Also available: Server administration forum archive | Web Design forum archive | Software forum archive | Hardware reviews archive

Copyright 2008 codecomments.com