Chinaunix

标题: 如何用sed抽取要求数据并列印 [打印本页]
作者: heero319    时间: 2013-07-30 23:45
标题: 如何用sed抽取要求数据并列印
本帖最后由 rdcwayx 于 2013-08-06 11:59 编辑

原始文件数据格式
  1. Nov 12 19:56:52 libra kernel: [ 1353.27355] WarningIN=em0 OUT=eth0 MAC=c8:1b:3c:fd:5D:e9:90:a9:8F:43:83:E3:15:0e SRC=222.171.89.16 DST=49.137.111.136 LEN=222 TOS=0x8C PREC=0xbF TTL=107 ID=31469 PROTO=ICMP TYPE=35 CODE=8 ID=24917 SEQ=166

  3. Aug 00 08:35:51 virgo kernel: [ 4584.5613] That's oddIN=em0 OUT=eth0 MAC=0a:09:AA:4F:6C:41:c6:De:D6:6f:83:41:8e:dC SRC=142.53.155.238 DST=252.1.134.24 LEN=506 TOS=0x11 PREC=0x5c TTL=67 ID=5098 PROTO=ICMP TYPE=35 CODE=5 ID=31329 SEQ=22

  5. Jun 21 11:47:48 taurus kernel: [ 741.5237] Look into this IN=em1 OUT=eth0 MAC=Bd:5b:ab:b7:47:fA:df:53:0E:E8:A7:2a:f6:c6 SRC=50.219.1.59 DST=56.95.45.60 LEN=390 TOS=0xf2 PREC=0x79 TTL=122 ID=28867 PROTO=UDP SPT=16351 DPT=15354 LEN=9

  7. Apr 15 19:17:12 virgo kernel: [ 1671.25071] MISSIVE IN=em0 OUT=eth1 MAC=aD:eD:f1:Ad:b4:6E:34:e2:37:0b:74:6A:Cd:cA SRC=225.17.31.15 DST=201.90.116.37 LEN=187 TOS=0x57 PREC=0x95 TTL=48 ID=4061 PROTO=TCP SPT=5351 DPT=24612 WINDOW=4712 RES=0x68 ACK NS UGRP=0

  9. Jun 17 12:12:51 taurus kernel: [ 2483.26385] That's oddIN=em1 OUT= MAC=82:B9:cC:dd:D6:4f:31:FA:6c:ca:67:79:eC:3D SRC=110.213.149.228 DST=237.146.122.240 LEN=293 TOS=0xF4 PREC=0xfE TTL=89 ID=10562 PROTO=ICMP TYPE=35 CODE=1 ID=779 SEQ=237
复制代码
如何用sed列印为
  1. 19:56:52 12 Nov;Warning;em0;eth0;222.171.89.16;49.137.111.136;ICMP;;

  3. 08:35:51 00 Aug;That's odd;em0;eth0;142.53.155.238;252.1.134.24;ICMP;;

  5. 11:47:48 21 Jun;Look into this ;em1;eth0;50.219.1.59;56.95.45.60;UDP;16351;15354

  7. 19:17:12 15 Apr;MISSIVE ;em0;eth1;225.17.31.15;201.90.116.37;TCP;5351;24612

  9. 12:12:51 17 Jun;That's odd;em1;;110.213.149.228;237.146.122.240;ICMP;;
复制代码
作者: bikong0411    时间: 2013-07-31 08:15
就是捕获替换
作者: WilliBhamlll    时间: 2013-07-31 09:59
体力活,一条sed还完不成。
  1. sed -r 's/([^ ]+) ([^ ]+) ([^ ]+) [^]]+\] (.+)IN=([^ ]+) OUT=([^ ]+)* .*SRC=([^ ]+) DST=([^ ]+) .*PROTO=(.*)/\3 \2 \1;\4;\5;\6;\7;\8;\9;/' file|sed -r 's/(([^;]*;){6})([^ ]+) (SPT=)*([0-9]+ )*(DPT=)*([0-9]+)*.*/\1\3;\5;\7/'
  2. 19:56:52 12 Nov;Warning;em0;eth0;222.171.89.16;49.137.111.136;ICMP;;

  4. 08:35:51 00 Aug;That's odd;em0;eth0;142.53.155.238;252.1.134.24;ICMP;;

  6. 11:47:48 21 Jun;Look into this ;em1;eth0;50.219.1.59;56.95.45.60;UDP;16351 ;15354

  8. 19:17:12 15 Apr;MISSIVE ;em0;eth1;225.17.31.15;201.90.116.37;TCP;5351 ;24612

  10. 12:12:51 17 Jun;That's odd;em1;;110.213.149.228;237.146.122.240;ICMP;;
复制代码
作者: yestreenstars    时间: 2013-07-31 10:07
本帖最后由 yestreenstars 于 2013-07-31 10:12 编辑
  1. [root@localhost ~]# awk 'NF{s1=gensub(/.*\] ([^=]*)IN=([^ ]*) OUT=([^ ]*).*SRC=([^ ]*) DST=([^ ]*).*PROTO=([^ ]*).*/,"\\1;\\2;\\3;\\4;\\5;\\6;",1);s2=/SPT/?gensub(/.*SPT=([^ ]*).*/,"\\1",1):"";s3=/DPT/?gensub(/.*DPT=([^ ]*).*/,"\\1",1):"";printf "%s %s %s %s%s;%s\n",$3,$2,$1,s1,s2,s3}!NF' i
  2. 19:56:52 12 Nov Warning;em0;eth0;222.171.89.16;49.137.111.136;ICMP;;

  4. 08:35:51 00 Aug That's odd;em0;eth0;142.53.155.238;252.1.134.24;ICMP;;

  6. 11:47:48 21 Jun Look into this ;em1;eth0;50.219.1.59;56.95.45.60;UDP;16351;15354

  8. 19:17:12 15 Apr MISSIVE ;em0;eth1;225.17.31.15;201.90.116.37;TCP;5351;24612

  10. 12:12:51 17 Jun That's odd;em1;;110.213.149.228;237.146.122.240;ICMP;;
  11. [root@localhost ~]#
复制代码
作者: yestreenstars    时间: 2013-07-31 10:31
@WilliBhamlll
一条也是可以完成的:
  1. [root@localhost ~]# sed -r 's/^([^ ]*) ([^ ]* )([^ ]* ).*\] ([^=]*)IN=([^ ]*) OUT=([^ ]*).*SRC=([^ ]*) DST=([^ ]*)(.*)/\3\2\1;\4;\5;\6;\7;\8;\9/;s/(.*);.*PROTO=([^ ]*) (SPT=([^ ]*) DPT=([^ ]*))?.*/\1;\2;\4;\5/' i
  2. 19:56:52 12 Nov;Warning;em0;eth0;222.171.89.16;49.137.111.136;ICMP;;

  4. 08:35:51 00 Aug;That's odd;em0;eth0;142.53.155.238;252.1.134.24;ICMP;;

  6. 11:47:48 21 Jun;Look into this ;em1;eth0;50.219.1.59;56.95.45.60;UDP;16351;15354

  8. 19:17:12 15 Apr;MISSIVE ;em0;eth1;225.17.31.15;201.90.116.37;TCP;5351;24612

  10. 12:12:51 17 Jun;That's odd;em1;;110.213.149.228;237.146.122.240;ICMP;;
  11. [root@localhost ~]#
复制代码
作者: WilliBhamlll    时间: 2013-07-31 10:39
回复 5# yestreenstars

不错,学习了!
   
作者: heero319    时间: 2013-08-01 01:40
that's  very smart!!!!
作者: heero319    时间: 2013-08-03 23:06
回复 4# yestreenstars


    我有一个很具体的问题想请教你,能+下QQ吗?
231103313
作者: yestreenstars    时间: 2013-08-06 09:50
回复 8# heero319


    有问题直接在这里问就好了~
作者: heero319    时间: 2013-08-06 09:57
回复 9# yestreenstars


    我刚了一贴,关于脚本的修改的
作者: rdcwayx    时间: 2013-08-06 10:01
heero319 发表于 2013-07-31 01:45
原始文件数据格式如何用sed列印为

我给添加了代码框,看起来舒服些。
  1. 下次发类似的贴,别忘了。  
复制代码




欢迎光临 Chinaunix (http://bbs.chinaunix.net/) Powered by Discuz! X3.2