Print lines before and after..not grep -A

zorrox · April 18, 2011, 5:35am

Hi

I have this in my file

[01002] 2011-04-18 15:32:11 [Root]system-alert-00012: UDP flood! From xxxxxx to yyyyyyyyyy, int ethernet0/2). Occurred 1 times.
[01003] 2011-04-18 15:32:11 [Root]system-alert-00012: UDP flood! From xxxxxx to yyyyyyyyyy, int ethernet0/2). Occurred 1 times.
[01004] 2011-04-18 15:32:11 [Root]system-alert-00008: IP spoofing! From xxxxxx to yyyyyyyyyy, int redundant1). Occurred 1 times.
[01377] 2011-04-18 15:31:52 [Root]system-alert-00012: UDP flood! From xxxxxx to yyyyyyyyyy, int ethernet0/2). Occurred 1 times.
[01378] 2011-04-18 15:31:52 [Root]system-alert-00012: UDP flood! From xxxxxx to yyyyyyyyyy, int ethernet0/2). Occurred 1 times.
[01379] 2011-04-18 15:31:52 [Root]system-alert-00012: UDP flood! From xxxxxx to yyyyyyyyyy, int ethernet0/2). Occurred 1 times.
[01380] 2011-04-18 15:31:51 [Root]system-alert-00008: IP spoofing! From xxxxxx to yyyyyyyyyy, int redundant1). Occurred 1 times.

My goal is to find how long the UDP flood is. So how do I search for a line that has "UDP flood" but the line before or after it does not have "UDP Flood"? awk or grep is prefered.

Thanks

Dahu · April 18, 2011, 5:43am

grep -An

print n lines After the line found by grep

grep -Bn

print n lines Before the line found by grep

grep -Cn

print n lines of Context from the line found by grep (n before and n after)

zorrox · April 18, 2011, 5:59am

I think you got it wrongly. If I use grep -An or -Bn or -Cn it will show all lines that have UDP flood. I do not want that. I want only lines that have UDP flood but the line before or after it must NOT have "UDP flood".

michaelrozar17 · April 18, 2011, 6:22am

Can you post how your output should look like from the given sample input..?

zorrox · April 18, 2011, 8:45am

Thanks for the reply. I guess my sample input should have more lines. So let us have more input lines:

[01575] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01576] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01577] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01578] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01579] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 2 times.
[01580] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01581] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 2 times.
[01582] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01583] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01584] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01585] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01586] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01587] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01588] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01589] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01590] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01591] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01592] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01593] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01670] 2011-04-18 15:31:13 [Root]system-alert-00008: IP spoofing! From xxxxx to yyyyy, int redundant1). Occurred 1 times.
[01594] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01595] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01596] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01597] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01598] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01599] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01600] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 2 times.
[01601] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01602] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01603] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 2 times.
[01604] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01605] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01606] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01607] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01608] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01609] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01610] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01670] 2011-04-18 15:31:13 [Root]system-alert-00008: IP spoofing! From xxxxx to yyyyy, int redundant1). Occurred 1 times.
[01611] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01612] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01613] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 2 times.
[01614] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01615] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01616] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01617] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01618] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01619] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01620] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01621] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01622] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01623] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01624] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01625] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01626] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01627] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01628] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01629] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01630] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 2 times.
[01631] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01632] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01633] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01634] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01635] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01636] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 2 times.
[01637] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01638] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01639] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01640] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01641] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01670] 2011-04-18 15:31:13 [Root]system-alert-00008: IP spoofing! From xxxxx to yyyyy, int redundant1). Occurred 1 times.
[01642] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01643] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01644] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01645] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01646] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01647] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01648] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01649] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01650] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01651] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01652] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01653] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
016703] 2011-04-18 15:31:13 [Root]system-alert-00008: IP spoofing! From xxxxx to yyyyy, int redundant1). Occurred 1 times.
[01654] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01655] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01656] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01657] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01658] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 2 times.
[01659] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01660] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01661] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01662] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 2 times.
[01663] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01664] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01665] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01666] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01667] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01668] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01669] 2011-04-18 15:31:15 [Root]system-alert-00008: IP spoofing! From xxxxx to yyyyy, int redundant1). Occurred 1 times.
[01670] 2011-04-18 15:31:13 [Root]system-alert-00008: IP spoofing! From xxxxx to yyyyy, int redundant1). Occurred 1 times.
[01671] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01672] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01673] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01674] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01675] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01676] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01677] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01678] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01679] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01680] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01681] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01682] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01683] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01684] 2011-04-18 15:31:11 [Root]system-alert-00008: IP spoofing! From xxxxx to yyyyy, int redundant1). Occurred 1 times.

The output should look like this:

[01670] 2011-04-18 15:31:13 [Root]system-alert-00008: IP spoofing! From xxxxx to yyyyy, int redundant1). Occurred 1 times.
[01594] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01670] 2011-04-18 15:31:13 [Root]system-alert-00008: IP spoofing! From xxxxx to yyyyy, int redundant1). Occurred 1 times.
[01611] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01670] 2011-04-18 15:31:13 [Root]system-alert-00008: IP spoofing! From xxxxx to yyyyy, int redundant1). Occurred 1 times.
[01642] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
016703] 2011-04-18 15:31:13 [Root]system-alert-00008: IP spoofing! From xxxxx to yyyyy, int redundant1). Occurred 1 times.
[01654] 2011-04-18 15:31:15 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01670] 2011-04-18 15:31:13 [Root]system-alert-00008: IP spoofing! From xxxxx to yyyyy, int redundant1). Occurred 1 times.
[01671] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01683] 2011-04-18 15:31:11 [Root]system-alert-00012: UDP flood! From xxxxx to yyyyy, int ethernet0/2). Occurred 1 times.
[01684] 2011-04-18 15:31:11 [Root]system-alert-00008: IP spoofing! From xxxxx to yyyyy, int redundant1). Occurred 1 times.

Thanks

kato · April 18, 2011, 8:59am

try this:

awk '/UDP flood/{flood=$0; if(line){print line ORS $0;line=""}} !/UDP flood/{line=$0; if(flood){print flood ORS $0;flood=""}}' file

Dahu · April 18, 2011, 10:02am

Sorry for misunderstanding you. Try this :

grep -v "UDP flood" -A1 filename | grep -vE '^--$'

zorrox · April 18, 2011, 11:06pm

Thanks Kato and Dahu,

So far Kato's solution works better.
Would you Mr kato explain to me how your command works?

Thanks

kato · April 19, 2011, 8:22am

No problem. It is better to make the code more readable:

awk '
/UDP flood/{                 --> match lines with UDP flood 
    flood=$0;                  --> copy it for later
    if(line){                     --> if variable "line" is not empty
        print line ORS $0;    -->     print it and the current line
        line=""                   -->     reset the "line" variable
    }
} 
!/UDP flood/{                --> match lines not UDP flood
    line=$0;                    --> copy it for later
    if(flood){                   --> if variable "flood" is not empty
        print flood ORS $0;   -->    print it and the current line
        flood=""                         --> reset the "flood" variable
    } 
}' file

The 1st block saves UDP flood lines and prints the last line that was not UDP flood - the one immediately before it.
The 2nd block saves lines that are not UDP flood and prints the last UDP flood line - the one immediately before it.

Each block works together to match any lines before and after the UDP flood one.

Note that the ORS is the Output Record Seperater which defaults to a newline.

Hope that helps.

zorrox · April 20, 2011, 6:46am

Thank you very much Mr Kato. You are the best.