My example file is as given below:
conn=1 uid=oracle
conn=2 uid=db2
conn=3 uid=oracle
conn=4 uid=hash
conn=5 uid=skher
conn=6 uid=oracle
conn=7 uid=mpalkar
conn=8 uid=anarke
conn=9 uid=oracle
conn=1 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.10.5.6 to 10.18.6.5
conn=2 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.20.35.10 to 10.18.6.5
conn=3 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.30.35.19 to 10.18.6.5
conn=4 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.40.35.11 to 10.18.6.5
conn=5 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.50.35.12 to 10.18.6.5
conn=6 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.10.35.14 to 10.18.6.5
conn=7 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.20.35.15 to 10.18.6.5
conn=8 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.20.35.16 to 10.18.6.5
conn=9 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.10.35.14 to 10.18.6.5
I need to write a scipt which will grep "uid=oracle" and find the IP address the connection is initiated from
using the connection ID "conn=x"
This is a sample file which I have kind of simplified and the actually file is in GBs.
I need to do this in perl now....
I would like an output something like this:
IP=w.x.y.z Hits=x
Hits basically means the number of times the IP from which the seach with uid=oracle was initiated.
Any help would certainly be appreciated!
Try this:
#! /bin/sh
if [ $# -ne 1 ]; then
echo "Usage: $0 <uid>"
exit 1
fi
awk -v uid=$1 '
NF==2 && $1~/^conn=/ && $2~/^uid=/ {
split($1, a, "=")
split($2, b, "=")
conn[b[2]]=a[2] ":" conn[b[2]]
next
}
/connection from/ {
split($1, cid,"=")
c=cid[2] ":"
if ( match(conn[uid],c) ) {
pos=NF-2
++sum[$pos]
}
}
END {
for ( i in sum ) {
printf("IP=%s Hits=%d\n", i, sum)
}
}
' inputfile
1 Like
$
$
$ cat f38
conn=1 uid=oracle
conn=2 uid=db2
conn=3 uid=oracle
conn=4 uid=hash
conn=5 uid=skher
conn=6 uid=oracle
conn=7 uid=mpalkar
conn=8 uid=anarke
conn=9 uid=oracle
conn=1 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.10.5.6 to 10.18.6.5
conn=2 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.20.35.10 to 10.18.6.5
conn=3 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.30.35.19 to 10.18.6.5
conn=4 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.40.35.11 to 10.18.6.5
conn=5 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.50.35.12 to 10.18.6.5
conn=6 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.10.35.14 to 10.18.6.5
conn=7 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.20.35.15 to 10.18.6.5
conn=8 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.20.35.16 to 10.18.6.5
conn=9 op=-1 msgId=-1 - fd=104 slot=104 LDAPS connection from 10.10.35.14 to 10.18.6.5
$
$
$ perl -lane 'if ($F[1] eq "uid=oracle") {$x{$F[0]}++}
elsif (defined $x{$F[0]}) {$y{$F[9]}++}
END {while (($k, $v) = each %y){print "IP=$k Hits=$v"}}
' f38
IP=10.10.35.14 Hits=2
IP=10.30.35.19 Hits=1
IP=10.10.5.6 Hits=1
$
$
tyler_durden
2 Likes
Thanks a lot tyler_durden, is there a way to modify the perl script to include two search patterns:
uid=oracle and uid=db2
to get
IP=w.x.y.z Hits=x Pattern=db2
IP=w.x.y.z Hits=x Pattern=oracle
I figured out I can use:
(($F[1] eq "uid=oracle") || ($F[1] eq "uid=db2"))
but can't figure out how to include Pattern=x
I would request someone's help!