Need help to replace a perl pattern matching

sags007_99 · April 10, 2012, 5:52am

My example file is as given below:

 conn=1 uid=oracle
conn=2 uid=db2
conn=3 uid=oracle
conn=4 uid=hash
conn=5 uid=skher
conn=6 uid=oracle
conn=7 uid=mpalkar
conn=8 uid=anarke
conn=9 uid=oracle
conn=1 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.10.5.6 to 10.18.6.5
conn=2 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.20.35.10 to 10.18.6.5
conn=3 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.30.35.19 to 10.18.6.5
conn=4 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.40.35.11 to 10.18.6.5
conn=5 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.50.35.12 to 10.18.6.5
conn=6 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.10.35.14 to 10.18.6.5
conn=7 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.20.35.15 to 10.18.6.5
conn=8 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.20.35.16 to 10.18.6.5
conn=9 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.10.35.14 to 10.18.6.5

I need to write a scipt which will grep "uid=oracle" and find the IP address the connection is initiated from
using the connection ID "conn=x"

This is a sample file which I have kind of simplified and the actually file is in GBs.

I need to do this in perl now....

I would like an output something like this:

IP=w.x.y.z  Hits=x

Hits basically means the number of times the IP from which the seach with uid=oracle was initiated.

Any help would certainly be appreciated!

chihung · April 10, 2012, 9:01pm

Try this:

#! /bin/sh

if [ $# -ne 1 ]; then
        echo "Usage: $0 <uid>"
        exit 1
fi

awk -v uid=$1 '
  NF==2 && $1~/^conn=/ && $2~/^uid=/ {
    split($1, a, "=")
    split($2, b, "=")
    conn[b[2]]=a[2] ":" conn[b[2]]
    next
  }
  /connection from/ {
    split($1, cid,"=")
    c=cid[2] ":"
    if ( match(conn[uid],c) ) {
      pos=NF-2
      ++sum[$pos]
    }
  }
  END {
    for ( i in sum ) {
      printf("IP=%s Hits=%d\n", i, sum)
    }
  }
' inputfile

durden_tyler · April 10, 2012, 10:35pm

$
$
$ cat f38
conn=1 uid=oracle
conn=2 uid=db2
conn=3 uid=oracle
conn=4 uid=hash
conn=5 uid=skher
conn=6 uid=oracle
conn=7 uid=mpalkar
conn=8 uid=anarke
conn=9 uid=oracle
conn=1 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.10.5.6 to 10.18.6.5
conn=2 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.20.35.10 to 10.18.6.5
conn=3 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.30.35.19 to 10.18.6.5
conn=4 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.40.35.11 to 10.18.6.5
conn=5 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.50.35.12 to 10.18.6.5
conn=6 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.10.35.14 to 10.18.6.5
conn=7 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.20.35.15 to 10.18.6.5
conn=8 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.20.35.16 to 10.18.6.5
conn=9 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.10.35.14 to 10.18.6.5
$
$
$ perl -lane 'if ($F[1] eq "uid=oracle") {$x{$F[0]}++}
              elsif (defined $x{$F[0]}) {$y{$F[9]}++}
              END {while (($k, $v) = each %y){print "IP=$k  Hits=$v"}}
             ' f38
IP=10.10.35.14  Hits=2
IP=10.30.35.19  Hits=1
IP=10.10.5.6  Hits=1
$
$

tyler_durden

sags007_99 · April 12, 2012, 2:19am

Thanks a lot tyler_durden, is there a way to modify the perl script to include two search patterns:

 
uid=oracle and uid=db2

to get

IP=w.x.y.z  Hits=x Pattern=db2
IP=w.x.y.z  Hits=x Pattern=oracle

I figured out I can use:

 (($F[1] eq "uid=oracle") || ($F[1] eq "uid=db2"))

but can't figure out how to include Pattern=x

sags007_99 · April 16, 2012, 10:27am

I would request someone's help!