求助：如何用awk模式匹配输出特定字段

three_body

如下为防火墙日志，其中有字段service=http proto=6，如何输出service=http这个字段呢，service字段有可能包含好几个空格，并且不确定究竟会有几个，但是后面的字段肯定是proto，如何用awk模式匹配输出service这个字段呢？
2011-09-30 00:00:20     Local0.Notice   10.2.0.254      ns50: NetScreen device_id=0019022004000299  [Root]system-notification-00257(traffic): start_time="2011-09-30 00:01:05" duration=15 policy_id=103 service=http proto=6 src zone=Trust dst zone=Untrust action=Permit sent=2683 rcvd=766 src=10.100.1.43 dst=119.188.11.3 src_port=4048 dst_port=80 src-xlated ip=218.206.244.202 port=4679 dst-xlated ip=119.188.11.3 port=80 session_id=61727 reason=Close - AGE OUT<000>
2011-09-30 00:00:20     Local0.Notice   10.2.0.254      ns50: NetScreen device_id=0019022004000299  [Root]system-notification-00257(traffic): start_time="2011-09-30 00:01:05" duration=15 policy_id=103 service=NETBIOS (NS) proto=17 src zone=Trust dst zone=Untrust action=Permit sent=2674 rcvd=766 src=10.100.1.43 dst=119.188.11.3 src_port=4045 dst_port=137 src-xlated ip=218.206.244.202 port=15311 dst-xlated ip=119.188.11.3 port=137 session_id=62271 reason=Close - AGE OUT<000>
2011-09-30 00:00:20     Local0.Notice   10.2.0.254      ns50: NetScreen device_id=0019022004000299  [Root]system-notification-00257(traffic): start_time="2011-09-30 00:01:05" duration=15 policy_id=103 service=VDO Live (tcp) proto=6 src zone=Trust dst zone=Untrust action=Permit sent=2645 rcvd=766 src=10.100.1.43 dst=119.188.11.3 src_port=4044 dst_port=7001 src-xlated ip=218.206.244.202 port=14295 dst-xlated ip=119.188.11.3 port=7001 session_id=59240 reason=Close - AGE OUT<000>

ly5066113

回复 1# three_body


一定要用 awk 么？

grep -Po 'service=.*(?= proto=)' file

q1208c

why awk ?

sed -s 's/^.*\(service=.*\) proto=.*$/\1/' file7

jason680

回复 1# three_body

There are many way to do that ...

1. to get the data by two sections key word
   service=NETBIOS (NS) proto=17

# awk 'function get(k,n, s,e,t){t=length(k)+1;s=index($0,k"=");e=index($0,n"=");if(s<e){return(substr($0,s+t, e-s-t-1))}return""}{print get("service", "proto")}' FILE
http
NETBIOS (NS)
VDO Live (tcp)
   
2. assign the each key and value to an array and use easily
service=NETBIOS (NS) proto=17

# awk -F= '{for(n=1;n<NF;n++){k=$n;v=$(n+1);sub(/.+ /,"",k);sub(/ [^ ]+$/,"",v);a[k]=v}print a["service"], a["ip"]}' FILE
http 119.188.11.3
NETBIOS (NS) 119.188.11.3
VDO Live (tcp) 119.188.11.3

ly5066113

回复 1# three_body


awk -F 'proto|service' '{print "service"$2}' file

three_body

是我想复杂了，只要能取出来就行，谢谢大家，我先试试。

three_body

接着像大家求教，如何只输出标红部分的内容呢？
2011-09-30 00:00:20     Local0.Notice   10.2.0.254      ns50: NetScreen device_id=0019022004000299  [Root]system-notification-00257(traffic): start_time="2011-09-30 00:01:05" duration=15 policy_id=103 service=VDO Live (tcp) proto=6 src zone=Trust dst zone=Untrust action=Permit sent=2645 rcvd=766 src=10.100.1.43 dst=119.188.11.3 src_port=4044 dst_port=7001 src-xlated ip=218.206.244.202 port=14295 dst-xlated ip=119.188.11.3 port=7001 session_id=59240 reason=Close - AGE OUT<000>

q1208c

回复 7# three_body


    参考我给的 sed 的提示.

three_body

q1208c 发表于 2014-03-20 11:37
回复 7# three_body

好，我先试试，刚才用grep没弄出来。

three_body

q1208c 发表于 2014-03-20 11:37
回复 7# three_body

1. sed -s 's/.*\(policy_id=.*\) action=.*\( src=.*\) src-xlated.*$/\1\2/'  test

复制代码

这样就可以了，不知道有没有办法可以同时将service=VDO Live (tcp)变成service=VDO_Live_(tcp)，这样输出的格式就统一了。