Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

awk and uniq 3

Status
Not open for further replies.
AIXtexas

AIXtexas

Technical User
Feb 5, 2002
80
US
Hello, below is a portion of my output file:

06/13-09 55 55.012358 [**] [1 1201 7] ATTACK-RESPONSES 403 Forbidden [**] [Classification Attempted Information Leak] [Priority 2] {TCP} 168.75.35.140 80 -> 66.194.6.71 45175
06/13-09 56 08.106537 [**] [1 1201 7] ATTACK-RESPONSES 403 Forbidden [**] [Classification Attempted Information Leak] [Priority 2] {TCP} 168.75.35.140 80 -> 66.194.6.80 33904
06/13-09 55 55.012358 [**] [1 1201 7] ATTACK-RESPONSES 403 Forbidden [**] [Classification Attempted Information Leak] [Priority 2] {TCP} 168.75.35.140 80 -> 66.194.6.71 45175
06/13-09 56 08.106537 [**] [1 1201 7] ATTACK-RESPONSES 403 Forbidden [**] [Classification Attempted Information Leak] [Priority 2] {TCP} 168.75.35.140 80 -> 66.194.6.80 33904
06/13-09 55 55.012358 [**] [1 1201 7] ATTACK-RESPONSES 403 Forbidden [**] [Classification Attempted Information Leak] [Priority 2] {TCP} 168.75.35.140 80 -> 66.194.6.71 45175
06/13-09 56 08.106537 [**] [1 1201 7] ATTACK-RESPONSES 403 Forbidden [**] [Classification Attempted Information Leak] [Priority 2] {TCP} 168.75.35.140 80 -> 66.194.6.80 33904

I'm looking for the count for each IP Address and the IP Address, for example, like below:

6 66.194.6.71

The below command was my attempt, but it does not work.

cat alert | grep "ATTACK-RESPONSES" | tr ":" " " | awk '{ print ($NF-1)}' | sort | uniq -c


Thanks,
Shane
 
Sort by date Sort by votes
Try this:

cat alert | grep "ATTACK-RESPONSES" | tr ":" " " | awk '{ print $(NF-1)}' | sort | uniq -c



HTH,

p5wizard
 
Upvote 0 Downvote
cat+grep+tr+awk !
awk '/ATTACK-RESPONSES/{gsub(/:/," ");print $(NF-1)}' alert | sort | uniq -c

Hope This Helps, PH.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884 or FAQ181-2886
 
Upvote 0 Downvote
Code: 
nawk '/ATTACK-RESPONSES/ { arr[$(NF-1)]++ } END { for (i in arr) print arr[i], i }' alert

vlad
+----------------------------+
| #include<disclaimer.h> |
+----------------------------+
 
Upvote 0 Downvote
or
Code: 
nawk '/ATTACK-RESPONSES/ && arr[$(NF-1)]++ {} END { for (i in arr) print arr[i], i }' alert

vlad
+----------------------------+
| #include<disclaimer.h> |
+----------------------------+
 
Upvote 0 Downvote
I'd call it 'UUO*' - just to be politically correct.

vlad
+----------------------------+
| #include<disclaimer.h> |
+----------------------------+
 
Upvote 0 Downvote
Guys, I only corrected the placement of the '(' character... Granted, the original pipeline didn't stand a chance against you UUO* Police-Officers, but Shane was very close to getting his results by himself...

Also, depends on if you need the results 100 time an hour or just once, in which case any old "UUO*-ridden" pipeline can get the task done nicely.

Maybe TT needs an extra button on the editing box - Check for UUO* perhaps? ;-)


HTH,

p5wizard
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MotorCycleDude
  • Locked
  • Question
awk Question
Replies
12
Views
416
mikrom
mikrom
FrancisMMM
  • Locked
  • Question
awk parsing is getting slower and stalled :(
Replies
1
Views
201
FrancisMMM
FrancisMMM
johnegracejr
  • Locked
  • Question
AWK suffix overwriting original text.
Replies
1
Views
241
feherke
feherke
V_M
  • Locked
  • Question
Awk Command not able to read French/Spanish characters from a file
Replies
1
Views
195
mikrom
mikrom
dlicheri
  • Locked
  • Question
awk - transposing output of program 1
Replies
4
Views
259
mikrom
mikrom

Part and Inventory Search

Sponsor

Back
Top