Multile Pattern Search in a same line and delete

HI Gurus,

I need to delete a line from a syslog file, if it matches three conditions.

Say for ex., if the device name is device.name.com and if it contains the syslog message PAGP-5-PORTFROMSTP in between the time period 00:00:00 to 04:00:00, then the particular line has to be deleted from the syslog file. The file size is 550 MB and so vi cannot be used here. THe only option I see here is sed and tried the following,

sed -e '/[00-04]:..:../d;/device.anme.com/d;/PAGP-5-PORTFROMSTP/d' syslogfile > tempfile
but its not working as expected.

I have a few lines from the syslog file copied below,

SRAMDEL<fsp>2008-03-01 00:01:26<fsp>router.dev.com<fsp>SPANTREE-6-PORTFWD<fsp>6<fsp>Port 5/1 state in VLAN 469 changed to forwarding<fsp>router.dev.com<fsp>102430100217
SRAMDEL<fsp>2008-03-01 00:01:33<fsp>21.228.23.24<fsp>CDP-4-DUPLEX_MISMATCH<fsp>4<fsp>duplex mismatch discovered on FastEthernet0/1 (not half duplex), with yourname.yourdomain.com GigabitEthernet0/0 (half duplex).<fsp>12.18.127.216<fsp>102430100218
SRAMDEL<fsp>2008-03-01 00:01:34<fsp>router.dev.com<fsp>ETHC-5-PORTFROMSTP<fsp>5<fsp>Port 5/1 left bridge port 5/1<fsp>router.dev.com<fsp>102430100219
SRAMDEL<fsp>2008-03-01 00:01:35<fsp>rtrL-OSL1.dev.com<fsp>ENVMON-3-FAN_FAILED<fsp>3<fsp>Fan 2 not rotating<fsp>rL1.dev.com<fsp>102430100220
SRAMDEL<fsp>2008-03-01 00:01:36<fsp>router.dev.com<fsp>ETHC-5-PORTTOSTP<fsp>5<fsp>Port 5/1 joined bridge port 5/1<fsp>router.dev.com<fsp>102430100221
SRAMDEL<fsp>2008-03-01 00:01:36<fsp>rtrR1.dev.com<fsp>ENVMON-3-FAN_FAILED<fsp>3<fsp>Fan 1 not rotating<fsp>rR1.dev.com<fsp>102430100222
SRAMDEL<fsp>2008-03-01 00:01:37<fsp>router.dev.com<fsp>SPANTREE-6-PORTFWD<fsp>6<fsp>Port 5/1 state in VLAN 469 changed to forwarding<fsp>router.dev.com<fsp>102430100223
SRAMDEL<fsp>2008-03-01 00:02:05<fsp>rtrL1.dev.com<fsp>ENVMON-3-FAN_FAILED<fsp>3<fsp>Fan 2 not rotating<fsp>rL1.dev.com<fsp>102430100224
SRAMDEL<fsp>2008-03-01 00:02:05<fsp>rtrI2.dev.com<fsp>CDP-4-DUPLEX_MISMATCH<fsp>4<fsp>duplex mismatch discovered on FastEthernet0/0 (not half duplex), with Switch FastEthernet0/5 (half duplex).<fsp>rtAI2.dev.com<fsp>102430100225
SRAMDEL<fsp>2008-03-01 00:02:06<fsp>rtr1.dev.com<fsp>ENVMON-3-FAN_FAILED<fsp>3<fsp>Fan 1 not rotating<fsp>rtR1.dev.com<fsp>102430100226
SRAMDEL<fsp>2008-03-01 00:02:23<fsp>TR01.dev.com<fsp>CDP-4-DUPLEX_MISMATCH<fsp>4<fsp>duplex mismatch discovered on FastEthernet1/0/44 (not half duplex), with SEP001D457DD302 Port 1 (half duplex).<fsp>TR00.dev.com<fsp>102430100227
SRAMDEL<fsp>2008-03-01 00:02:24<fsp>AL05.dev.com<fsp>PAGP-5-PORTFROMSTP<fsp>5<fsp>Port 5/48 left bridge port 5/48<fsp>AL005.dev.com<fsp>102430100228
SRAMDEL<fsp>2008-03-01 00:02:26<fsp>AL05.dev.com<fsp>PAGP-5-PORTTOSTP<fsp>5<fsp>Port 5/48 joined bridge port 5/48<fsp>AL005.dev.com<fsp>102430100228
SRAMDEL<fsp>2008-03-01 00:02:27<fsp>AL05.dev.com<fsp>SPANTREE-6-PORTFWD<fsp>6<fsp>Port 5/48 state in VLAN 21 changed to forwarding<fsp>ALS5.dev.com<fsp>102430100230
SRAMDEL<fsp>2008-03-01 00:02:33<fsp>12.148.197.126<fsp>CDP-4-DUPLEX_MISMATCH<fsp>4<fsp>duplex mismatch discovered on FastEthernet0/1 (not half duplex), with yourname.yourdomain.com GigabitEthernet0/0 (half duplex).<fsp>12.198.17.26<fsp>102430100231
SRAMDEL<fsp>2008-03-01 00:02:35<fsp>rtrws.dev.com<fsp>ENVMON-3-FAN_FAILED<fsp>3<fsp>Fan 2 not rotating<fsp>rtL1.dev.com<fsp>102430100232
SRAMDEL<fsp>2008-03-01 00:02:36<fsp>rt1.dev.com<fsp>ENVMON-3-FAN_FAILED<fsp>3<fsp>Fan 1 not rotating<fsp>rtrR1.dev.com<fsp>102430100233
SRAMDEL<fsp>2008-03-01 00:02:42<fsp>router.dev.com<fsp>ETHC-5-PORTFROMSTP<fsp>5<fsp>Port 5/1 left bridge port 5/1<fsp>router.dev.com<fsp>102430100234

Can you pls help me in getting the script working.

THanks a lot for your help

You have the time regex wrong.

/0[0-4]:..:../d

However, the logic seems backwards, too. You want to delete lines where all three conditions match, correct? Your script will successively delete lines where any one condition matches.

If they are always in the same order, you could simply use grep -v.

grep -v '0[0-4]:..:.*device\.anme\.com.*PAGP-5-PORTFROMSTP' syslogfile >tempfile

I don't see any matches on "device.anme.com" or "device.name.com" so it's a bit hard to test on the snippet you posted, though. If I use the device AL05.dev.com I find one match.

Hello Era,

THanks a lot for the tip. It really works. Thanks once again.