syslog grep/awk/sed display

Shell Programming and Scripting
1

What i am trying to do is pull all the "fail" and "error" from the HP-UX syslog except if it includes "sshd" or "ftpd" and IF the next line says "above message repeats NN time" display the next line.

Got some of it working with someones help with sed but Im more familiare with awk.

Trying to do this with awk:

cat syslog.log | sed -e '/sshd/d' -e '/ftpd/d' -e '/error/b' -e '/fail/b' -e d

I can do half:

awk '/(error|fail)/ { print; }' syslog.log

I want to add the !/(sshd|ftpd)/ to the awk statement in one statement, if possible.

Then I want to display the next line IF next line contains " above message repeats NN times"

I know how to display next next line:

awk '/(error|fail)/ { print; getline; print; }' syslog.log

But not sure how to do it ONLY if it contains " above message repeats NN times" and include the !/(sshd|ftpd)/

I know I can do it with multiple greps but I would like an awk one liner.

2

Something like this?

awk '(!/sshd/ && !/ftpd/) && /fail/ || /error/{print; f=1; getline}
/above message repeats/ && f
{f=0}' syslog.log
1 Like
3

Excellent, that s exactly what I was looking for.

I had to add some brackets to get the correct output.

clear; awk '(!/sshd/ && !/ftpd/) && (/failed/ || /error/) {print; f=1; getline}
/above message repeats/ && f
{f=0}' syslog.log

---------- Post updated at 10:36 AM ---------- Previous update was at 10:36 AM ----------

Ok I've come across a problem... :frowning:

# cat syslog.log
Some error 1
Some error 1
Some error 2
above message repeats 10 times
Some error 3 sshd
Some error 4 ftpd
some error 5 what ever
some error 5 what ever
above message repeats 10 times

When I run the code I get:

Some error 1
Some error 2
above message repeats 10 times
some error 5 what ever

I should get:

Some error 1
Some error 1
Some error 2
above message repeats 10 times
some error 5 what ever
some error 5 what ever
above message repeats 10 times.
4

Sorry, I misunderstood the question, try this:

awk '(!/sshd/ && !/ftpd/) && (/fail/ || /error/){print; f=1;}
/above message repeats/ && f{print;f=0}' syslog.log
1 Like
5

Yes, awesome.. Thanks again.