[ale] Is awk the right tool for this?

Tue May 7 07:41:21 EDT 2002

Kevin,

On Tue, 2002-05-07 at 01:03, Kevin Krumwiede wrote:
> I want to go through my firewall logs and extract the source address of
> dropped packets.  I can't just use cut to get the right field because of
> different flags on the packets.  So how do I get just the token that
> begins with "SRC="?  I have a feeling awk is the tool for the job, but I
> don't really know how to use it.
> 
> grep dropped /var/log/kernel/info | ??? | sort | uniq | ...

	Yep, I must agree with Adrin.  sed may be better in this case.  Given
the above,

	grep dropped /var/log/kernel/info | sed '/.*\(SRC=[^ ][^ ]*\).*/\1/' |
sort | uniq | ... might do it.  I'm assuming that "SRC=?" ends with a
space, thus my use of the '[^ ][^ ]*'.  You may could also match the
"dotted quad", something like 'SRC=[0-9.][0-9.]*', which will match any
run of numbers and decimal points.

	Awk could also do it, but you'd need to loop through the 'fields':

	/dropped/ { for (i = 1; i < NF; i++)
			if ($i ~ /SRC=/)
				print $i;
		  }

which wouldn't need the initial grep either.

	By the way, sort can 'uniquify' the output too, if you didn't know. 
See man sort(1), the -u flag.

	So, putting all that together gives us:

	awk 'blah mumble fubar' /var/log/kernel/info | sort -u | ...

-- 
kernel, n.: A part of an operating system that preserves the
medieval traditions of sorcery and black art.

Danny

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.