2012-09-28 47 views
2

我不是100%確定如何簡單地說出我的問題,所以如果在某個地方回答了此問題並且我無法找到它,我表示歉意。使用awk只返回某些數據塊

我所擁有的是帶有身份驗證數據包的調試日誌以及一堆其他輸出。我需要搜索大約200萬行日誌來查找包含某個mac地址的每個數據包。

的包看起來像這樣(略審查):

-----------------[ header ]----------------- 
Event:  Authd-Response (1900) 
Sequence: -54 
Timestamp: 1969-12-31 19:30:00 (0) 
---------------[ attributes ]--------------- 
Auth-Result = Auth-Accept 
Service-Profile-SID = 53 
Service-Profile-SID = 49 
RADIUS-Access-Accept-Attr/WiMAX-Capability = 0x(numbers) 
Session-Timeout = 3600 
Service-Profile-SID = 4 
Service-Profile-SID = 29 
Chargeable-User-Identity = "(Numbers)" 
User-Password = "(the MAC address I'm looking for)" 
-------------------------------------------- 

但是大約有10種不同的可能的類型不同可能的長度。它們都以標題行開始,並以全破折號行結束。

我用awk讓自己使用此代碼塊取得了成功:

awk '/-----------------\[ header \]-----------------/,/--------------------------------------------/' filename.txt 

但我希望能夠用它來僅返回包含我需要的MAC地址的報文。

我一直試圖弄清楚這幾天現在,我很卡住。我可以嘗試寫一個bash腳本,但我可以發誓我已經使用awk做過這樣的事情...

回答

1

一種方式

假設infile有以下內容(三個頭具有不同的MAC):

-----------------[ header ]----------------- 
Event:  Authd-Response (1900) 
Sequence: -54 
Timestamp: 1969-12-31 19:30:00 (0) 
---------------[ attributes ]--------------- 
Auth-Result = Auth-Accept 
Service-Profile-SID = 53 
Service-Profile-SID = 49 
RADIUS-Access-Accept-Attr/WiMAX-Capability = 0x(numbers) 
Session-Timeout = 3600 
Service-Profile-SID = 4 
Service-Profile-SID = 29 
Chargeable-User-Identity = "(Numbers)" 
User-Password = "ab:89:67:45:23:01" 
-------------------------------------------- 
-----------------[ header ]----------------- 
Event:  Authd-Response (1900) 
Sequence: -54 
Timestamp: 1969-12-31 19:30:00 (0) 
---------------[ attributes ]--------------- 
Auth-Result = Auth-Accept 
Service-Profile-SID = 53 
Service-Profile-SID = 49 
RADIUS-Access-Accept-Attr/WiMAX-Capability = 0x(numbers) 
Session-Timeout = 3600 
Service-Profile-SID = 4 
Service-Profile-SID = 29 
Chargeable-User-Identity = "(Numbers)" 
User-Password = "01:23:45:67:89:ab" 
-------------------------------------------- 
-----------------[ header ]----------------- 
Event:  Authd-Response (1900) 
Sequence: -54 
Timestamp: 1969-12-31 19:30:00 (0) 
---------------[ attributes ]--------------- 
Auth-Result = Auth-Accept 
Service-Profile-SID = 53 
Service-Profile-SID = 49 
RADIUS-Access-Accept-Attr/WiMAX-Capability = 0x(numbers) 
Session-Timeout = 3600 
Service-Profile-SID = 4 
Service-Profile-SID = 29 
Chargeable-User-Identity = "(Numbers)" 
User-Password = "00:00:45:67:89:ab" 
-------------------------------------------- 

運行以下awk腳本:

awk -v mac="01:23:45:67:89:ab" ' 
    BEGIN { 
     RS = "-+\\[ header \\]-+"; 
     FS = "\n"; 
    } 
    ## Save record separator. I must do at the beginning because later the 
    ## variable is reset. ¿Bug? 
    FNR == 1 { 
     record_sep = RT; 
    } 
    { 
     ## Go throught each line searching for the MAC. If found print 
     ## the whole block. 
     for (i = 1; i <= NF; i++) { 
      if (match($i, mac) > 0) { 
       print record_sep, $0; 
       break; 
      } 
     } 
    } 
' infile 

國債收益率:

-----------------[ header ]----------------- 
Event:  Authd-Response (1900) 
Sequence: -54 
Timestamp: 1969-12-31 19:30:00 (0) 
---------------[ attributes ]--------------- 
Auth-Result = Auth-Accept 
Service-Profile-SID = 53 
Service-Profile-SID = 49 
RADIUS-Access-Accept-Attr/WiMAX-Capability = 0x(numbers) 
Session-Timeout = 3600 
Service-Profile-SID = 4 
Service-Profile-SID = 29 
Chargeable-User-Identity = "(Numbers)" 
User-Password = "01:23:45:67:89:ab" 
-------------------------------------------- 
0

一些awks支持多字符記錄分隔符。如果'------'行的長度始終相同,那麼

awk 'BEGIN{ORS=RS="^---------------------$";}/macAddress/{print}' logfile 

應該可以工作。

(延伸的過程中,「----」可以匹配你的長度真正REC分離器。

IHTH

0
awk -v mac=MACADDR ' 
    /^-----------------\[ header \]-----------------$/ { inpacket=1; found=0 } 
    inpacket { packet = packet "\n" $0; if (/User-Password =/&& $3 == mac) { found=1 } } 
    /^--------------------------------------------$/ && found { print packet; inpacket=0 }' 

我認爲在你上面的例子中引號和括號。文件格式的實際上不是一部分如果是這樣,改變第一行:

awk -v mac='"('MACADDR')"' ' 
2

這可能會爲你工作(GNU awk):

awk '$0~mac{printf($0.RT)}' mac="01:23:45:67:89:ab" RS="\n[-]+\n" file 

其中mac是您選擇的地址。

+0

+1,很好,很簡單,可能需要添加'-v IGNORECASE = 1'。 – Thor