这是我的多线活动。我需要做的就是创建一个带有Timestamp,User,ecid和RemoteIP值的csv文件。这些字段在我的多行事件中的row1,row11,row14和row16中可用。我尝试使用AWK并且能够查找以User,ecid等开头的行,并且能够使用
awk -F'[=:]' '/User|ecid|RemoteIP/{print NR ", " $2 }' filename.txt
但需要知道如何获取行1上的时间戳。此外,需要知道如何使这4个值出现在由管道分隔的单行中。我在AWK或Perl中寻找一些输入
[2019-03-01T10:08:30.00] [OBIPS] [TRACE:1] [] [saw.httpserver.request.showrequest] [ecid: 90b8:1e:16:-800-000,0:9] [tid: 563620160] Request received.
Type: POST Headers:
Connection=Keep-Alive
Content-Length=58
Cookie=ORA_BIPS_LBINFO=16938b9e78c
User-Agent=Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36
X-BlueCoat-Via=56038f342870633d
X-Forwarded-For=10.132.198.91
Request params:
bieehome
icharset=utf-8
User=bi_admin
Password=******
SessionID: 9n5be88r2b041s5s6toojpagruk7ums
ecid: 90b8:1e:16:-800-000,0:9
ThreadID: 5636201600
RemoteIP: 10.192.121.136
]]
Timestamp | User | ecid | RemoteIP
2019-03-01T10:08:30.00 | bi_admin | 90b8:1e:16:-800-000,0:9 | 10.192.121.136
您能否请尝试以下,也将很快添加非单一的表格和代码说明。
awk '
BEGIN{
OFS=" | "
print "Timestamp | User | ecid | RemoteIP"
}
/^\]\]/{
if(val){
print val
}
val=""
}
/^\[[0-9]+\-[0-9]+\-[0-9]+/{
gsub(/\]|\[|\..*/,"",$1)
val=$1
next
}
/User=/{
sub(/.*User=/,"")
val=val OFS $0
next
}
/ecid/{
sub(/.*: /,"")
val=val OFS $0
next
}
/RemoteIP/{
sub(/.*: /,"")
val=val OFS $0
}
END{
if(val){
print val
}
}
' Input_file
输出如下。
Timestamp | User | ecid | RemoteIP
2019-03-01T10:08:30 | bi_admin | 90b8:1e:16:-800-000,0:9 | 10.192.121.136
上述代码说明:
awk ' ##Starting awk program here.
BEGIN{ ##Starting BEGIN section from here.
OFS=" | " ##Setting OFS(output field separator) as space pipe space for all lines of Input_file.
print "Timestamp | User | ecid | RemoteIP" ##Printing header mentioned by OP in request here, will be printed before Input_file gets read.
} ##Closing BEGIN section of awk program here.
/^\]\]/{ ##Checking condition if a line starts from ]] then do following.
if(val){ ##Checking condition if variable val value is NOT NULL then do following.
print val ##Printing variable val here.
} ##Closing block for if condition here.
val="" ##Nullifying variable val here.
} ##Closing BLOCK for]] condition.
/^\[[0-9]+\-[0-9]+\-[0-9]+/{ ##Checking condition if a line starts from [ digits-digits-digits then do following.
gsub(/\]|\[|\..*/,"",$1) ##Globally substituting ] and [ from 1st field.
val=$1 ##Setting value of val as $1 here.
next ##Skipping all statements from here.
} ##Closing BLOCK for ^[ condition now.
/User=/{ ##Checking condition if a line contains User=then do following.
sub(/.*User=/,"") ##Substituting everything till User=
val=val OFS $0 ##Concatenating value of $0 to val here.
next ##next will skip all statements from here.
}
/ecid/{ ##Checking condition if a line contains ecid then do following.
sub(/.*: /,"") ##Substituting everything till : space in line.
val=val OFS $0 ##Concatenating value of $0 to val here.
next ##next will skip all statements from here.
}
/RemoteIP/{ ##Checking condition if a line contains RemoteIP then do following.
sub(/.*: /,"") ##Substituting everything till : space in line.
val=val OFS $0 ##Concatenating value of $0 to val here.
}
END{ ##mentioning END section of this awk code, this will be executed once Input_file is done with reading.
if(val){ ##Checking if variable val is NOT NULL then do following.
print val ##Printing variable val here.
}
}
' Input_file ##Mentioning Input_file name here.
使用空格或:(后面是空格)或=或[或]作为场分隔符(FS)。 OFS是输出字段分隔符。
awk 'BEGIN{FS=" |: |=|\\[|\\]"; OFS=" | "}
$5=="OBIPS" {time=$2}
$1=="User" {user=$2}
$1=="ecid" {ecid=$2}
$1=="RemoteIP" {ip=$2; print time,user,ecid,ip}' file
输出:
2019-03-01T10:08:30.00 | bi_admin | 90b8:1e:16:-800-000,0:9 | 10.192.121.136
见:8 Powerful Awk Built-in Variables – FS, OFS, RS, ORS, NR, NF, FILENAME, FNR