Script Advice please?

Ok. I want to parse a log file and search only for denied traffic for the previous hour. The log looks like this:

Jun 18 17:47:56 routername 36806: Jun 18 17:53:01.088: %SEC-6-IPACCESSLOG: list ingress-filter denied tcp 1.2.3.4(1234) -> 6.7.8.9(53), 4 packets

I only really care about the time, routername and denied (fields 3-4,12)..

I currently have this in place:

grep "denied" file | grep gress | sed "s/  / /g" | cut -d " " -f 3-4 | sed "s/:/ :/g" | awk '$1 == 13' | cut -d " " -f 4 | sort -u

and then have that cron'ed to run every hour.... The first sed is used because between the 1st and 9th of the month, there is an extra space in the date. Second sed put the hour in it's own column to be matched on the awk. Then end file just has the routernames sorted unique.

There has to be an easier/better way to go about this?

This just came to mind again when Shell Life posted this in another thread:

sed -n '/18:/,$ p' filename

and I thought that might be a good way to just search within the previous hour.

Help?

Try that (not tested):

awk -v hour=$(date +%H) '
   int($3) == hour && /denied/ && /gress/ {
      print $4:
   }
' file | sort -u

Gives me this error:

awk : cmd. line:4: print $4:
awk : cmd. line:4: ^ syntax error

edit: seems to work without the : after the $4.

Looks to be working... let me play with it a little more and I'll let you know... thanks.

Earnstaf,
This part will display entries in current and previous hours:

typeset -i mCurrHH
typeset -i mPrevHH
mCurrHH=`date +"%H"`
mPrevHH=${mCurrHH}-1
if [ ${mPrevHH} -eq -1 ]; then
  mPrevHH=23     ## Assuming 00:00 to 23:59
fi
mFirstPart='^... .. '
egrep "${mFirstPart}${mPrevHH}|${mFirstPart}${mCurrHH}" input_file

Seems to be working. So I guess I should cron this to run at 59th minute 30 second of every hour?

Shell Life,
Nice script. That might fit my needs a little better actually. That way I can just cron it to run on the hour and it will find everything for the previous (take out egrep and just grep on ${mPrevHH}.. I notice you use the typeset in a lot of your scripts.. I'll do some reading on that see what I can learn.

Thanks for the input. This forum has been very beneficial to me teaching me scripting... hopefully one day I can contribute as much as you guys do

Edit: Quick question:
What is this part doing?

mFirstPart='^... .. '

Looks like some sort of regexp matching from the start of the line?? Thanks for your help.

Typing error, remove : or replace by ;

Edit: Quick question:
What is this part doing?

mFirstPart='^... .. '

It is a regular expression as follows:
1) Begining of the line.
2) Three characters.
3) One space.
4) Two characters.
5) One space.
This is done to make sure the "egrep" is using the first date and not the second one:

Jun 18 14:17:56 routername 36806: Jun 18 17:53:01.088:
Jun 18 13:17:56 routername 36806: Jun 18 15:53:01.088:
Jun 18 12:17:56 routername 36806: Jun 18 17:53:01.088:
Jun 11 17:47:56 routername 36806: Jun 18 01:53:01.088:
Jun 11 17:47:56 routername 36806: Jun 18 13:53:01.088:
Jun 07 14:17:56 routername 36806: Jun 18 00:53:01.088:

As for the code, it can be improved to make sure it is using two digits for the hour:

typeset -i mCurrHH
typeset -Z2 mCurrGrep
typeset -i mPrevHH
typeset -Z2 mPrevGrep
mCurrHH=`date +"%H"`
mPrevHH=${mCurrHH}-1
if [ ${mPrevHH} -eq -1 ]; then
  mPrevHH=23
fi
mCurrGrep=${mCurrHH}
mPrevGrep=${mPrevHH}
mFirstPart='^... .. '
egrep "${mFirstPart}${mPrevGrep}|${mFirstPart}${mCurrGrep}"

My awk solution search for the current hour.
For the previous hour :

awk -v hour=$(date +%H) '
   BEGIN { 
      hour = (hour==0; 23; hour-1)
   }
   int($3) == hour && /denied/ && /gress/ {
      print $4:
   }
' file | sort -u

Looks good aigles... AWK is something that I really need to dig down into and learn. Thanks for your input.

Shell Life,
I can see why the typeset -Z2 is needed (so it doesnt find 20 when it should find 2), but the script isnt liking it:

./time.sh: line 4: typeset: -Z: invalid option
typeset: usage: typeset [-afFirtx] [-p] name[=value] ...

I tried it a few different ways:

typeset -Z2 mCurrGrep
typeset -Z 2 mCurrGrep
typeset -Z mCurrGrep 2
typeset -Z mCurrGrep=2

...same error on each. is -Z not an option in bash?

make your script a 'ksh' - '#!/bin/ksh' (on the first line of the script).

That did it .. thanks. I had read that bash offered most everything that the other shells and then some in terms of scripting... I guess that isn't the case here, eh?