基于我在这里找到的类似问题,我需要额外的帮助:将多行转换为单行
当前 SED 示例
(sed -e'y/)},={/(((((/' \
-e's/-\([^(I]*\)[^0-9]*\([0-9]*\)[( ]*/- \2 -\1/;=' |
paste -d- - - |
sort -t- -nk3,3 -nk1,1 |
sed -e's/^[^-]*-//;:n' -e'h;$!N' \
-e's/\(-\([^-]*-\).*[^ ]\) *\n\([^-]*-\)\{2\}\2/\1 - \3/;tn' \
-ex\;:t -e's/\(\([^-]*-\)[^/]*\) - *\2/\1,/;tt' -e'p;g;D' ) \
< in.txt > out.txt
遵循多行日志
6/13/2015 12:00:47 AM - { 562} START Web
6/13/2015 12:00:47 AM - Requested Web connection from 123.125.71.103[123.125.71.103], ID=562
6/13/2015 12:01:24 AM - { 563} START POP3
6/13/2015 12:01:24 AM - Requested POP3 connection from 10.127.251.37 [10.127.251.37], ID=563
6/13/2015 12:01:24 AM - ( 563) USER [email protected]
6/13/2015 12:01:24 AM - POP3 connection with 10.127.251.37 [10.127.251.37] ended. ID=563
6/13/2015 12:01:24 AM - { 563} END POP3
6/13/2015 12:01:24 AM - { 564} START POP3
6/13/2015 12:01:24 AM - Requested POP3 connection from 10.127.251.37 [10.127.251.37], ID=564
6/13/2015 12:01:24 AM - ( 564) USER [email protected]
6/13/2015 12:01:24 AM - POP3 connection with 10.127.251.37 [10.127.251.37] ended. ID=564
6/13/2015 12:01:24 AM - { 564} END POP3
6/13/2015 12:01:40 AM - Web connection with 123.125.71.103 [123.125.71.103] ended. ID=562
6/13/2015 12:01:40 AM - { 562} END Web
转换为
6/13/2015 12:00:47 AM - 562 - START Web, Requested Web connection from 123.125.71.103 [123.125.71.103] - 6/13/2015 12:01:40 AM - Web connection with 123.125.71.103 [123.125.71.103] ended., END Web
6/13/2015 12:01:24 AM - 563 - START POP3, Requested POP3 connection from 10.127.251.37 [10.127.251.37], USER [email protected], POP3 connection with 10.127.251.37 [10.127.251.37] ended., END POP3
6/13/2015 12:01:24 AM - 564 - START POP3, Requested POP3 connection from 10.127.251.37 [10.127.251.37], USER [email protected], POP3 connection with 10.127.251.37 [10.127.251.37] ended., END POP3
我想修改 SED 以包含以下 ID 位于方括号中的日志(例如:[ 667])。
日志示例
6/13/2015 2:15:09 AM - Starting delivery thread, ID=667
6/13/2015 2:15:09 AM - { 667} START Delivery
6/13/2015 2:15:09 AM - Active delivery threads (ID=667 start): 0
6/13/2015 2:15:09 AM - [ 667] Delivering to [email protected]
6/13/2015 2:15:09 AM - [ 667] Forwarding mail...
6/13/2015 2:15:09 AM - [ 667] Forwarding message to 1 address(es)
6/13/2015 2:15:09 AM - Delivery thread, ID=667, terminated after running for 0.031 seconds.
6/13/2015 2:15:09 AM - { 667} END Delivery
6/13/2015 2:15:09 AM - Active delivery threads (ID=667 end): 0
我的第二个问题是如何忽略没有 ID 的日志。这并不是那么重要,但最好过滤掉。
例如:
6/13/2015 2:43:24 AM - Exended logging
6/13/2015 2:43:24 AM - Setting msgSizeLimit 15
提前致谢。
答案1
这只是第一个sed需要修改的地方,以处理您在此处列出的所有可能性。具体来说,您不需要在单个正则表达式中处理所有可能性,而是需要分别处理两种不同类型的行——即ID紧跟-在一行上的第一个破折号之后,以及在其上发现的另一种破折号标记为ID=别的地方。
( sed -e= -e's/- [({[] *\([0-9]*\) *[])}]/- \1 -/;t' \
-e's/-\(.*[^, ]\)[, ]*ID=\([0-9]*\)[, ]\{0,1\}/- \2 -\1/' |
paste -d- - - |
sort -t- -nk3,3 -nk1,1 |
sed -e's/^[^-]*-//;:n' -e'h;$!N' \
-e's/\(-\([^-]*-\).*[^ ]\) *\n\([^-]*-\)\{2\}\2/\1 - \3/;tn' \
-ex\;:t -e's/\(\([^-]*-\)[^/]*\)- *\2/\1:::/;tt' -e'p;g;D'
) <in >out
这是第二次,但使用-E扩展的正则表达式语法编写。这至少适用于 BSD/GNU/AST sed:
( sed -Ee= -e's/- [({[] *([0-9]+) *[])}]/- \1 -/;t' \
-e's/-(.*[^, ])[, ]*ID=([0-9]+)[, ]?/- \2 -\1/' |
paste -d- - - |
sort -t- -nk3,3 -nk1,1 |
sed -Ee's/^[^-]*-//;:n' -e'h;$!N' \
-e's/(-([^-]+-).*[^ ]) *\n([^-]+-){2}\2/\1 - \3/;tn' \
-ex\;:t -e's/(([^-]+-)[^/]*)- *\2/\1:::/;tt' -e'p;g;D'
) <in >out
现在我对所有日志数据的串联进行了测试:
6/13/2015 12:00:47 AM - { 562} START Web
6/13/2015 12:00:47 AM - Requested Web connection from 123.125.71.103[123.125.71.103], ID=562
6/13/2015 12:01:24 AM - { 563} START POP3
6/13/2015 12:01:24 AM - Requested POP3 connection from 10.127.251.37 [10.127.251.37], ID=563
6/13/2015 12:01:24 AM - ( 563) USER [email protected]
6/13/2015 12:01:24 AM - POP3 connection with 10.127.251.37 [10.127.251.37] ended. ID=563
6/13/2015 12:01:24 AM - { 563} END POP3
6/13/2015 12:01:24 AM - { 564} START POP3
6/13/2015 12:01:24 AM - Requested POP3 connection from 10.127.251.37 [10.127.251.37], ID=564
6/13/2015 12:01:24 AM - ( 564) USER [email protected]
6/13/2015 12:01:24 AM - POP3 connection with 10.127.251.37 [10.127.251.37] ended. ID=564
6/13/2015 12:01:24 AM - { 564} END POP3
6/13/2015 12:01:40 AM - Web connection with 123.125.71.103 [123.125.71.103] ended. ID=562
6/13/2015 12:01:40 AM - { 562} END Web
6/13/2015 2:15:09 AM - Starting delivery thread, ID=667
6/13/2015 2:15:09 AM - { 667} START Delivery
6/13/2015 2:15:09 AM - Active delivery threads (ID=667 start): 0
6/13/2015 2:15:09 AM - [ 667] Delivering to [email protected]
6/13/2015 2:15:09 AM - [ 667] Forwarding mail...
6/13/2015 2:15:09 AM - [ 667] Forwarding message to 1 address(es)
6/13/2015 2:15:09 AM - Delivery thread, ID=667, terminated after running for 0.031 seconds.
6/13/2015 2:15:09 AM - { 667} END Delivery
6/13/2015 2:15:09 AM - Active delivery threads (ID=667 end): 0
我的结果是:
6/13/2015 12:00:47 AM - 562 - START Web ::: Requested Web connection from 123.125.71.103[123.125.71.103] - 6/13/2015 12:01:40 AM - Web connection with 123.125.71.103 [123.125.71.103] ended. ::: END Web
6/13/2015 12:01:24 AM - 563 - START POP3 ::: Requested POP3 connection from 10.127.251.37 [10.127.251.37] ::: USER [email protected] ::: POP3 connection with 10.127.251.37 [10.127.251.37] ended. ::: END POP3
6/13/2015 12:01:24 AM - 564 - START POP3 ::: Requested POP3 connection from 10.127.251.37 [10.127.251.37] ::: USER [email protected] ::: POP3 connection with 10.127.251.37 [10.127.251.37] ended. ::: END POP3
6/13/2015 2:15:09 AM - 667 - Starting delivery thread ::: START Delivery ::: Active delivery threads (start): 0 ::: Delivering to [email protected] ::: Forwarding mail... ::: Forwarding message to 1 address(es) ::: Delivery thread terminated after running for 0.031 seconds. ::: END Delivery ::: Active delivery threads (end): 0