formatting script output

[tagyourit]

Need help formatting script output. I dug up a watchfile.pl script on the net ( it was posted here as an alternative to Tripwire ) to monitor files/directories for changes.

It generates fairly consistent output. First, it builds a list of files you tell it to watch, which at the end of that list is:

------------------------------------------------

After the dashes, it will log updates. I will just send everything to standard out.

Mon Oct 20 12:02:17 2008: /tmp/dcfile001: Changed: uid ctime
-rw-r--r-- 1 billg system 6 Oct 20 12:01 /tmp/rtfile001
Mon Oct 20 12:02:17 2008: /tmp/downlist.tmp: Changed: size mtime ctime
-rw-r--r-- 1 root system 56 Oct 20 12:02 /tmp/downlist.tmp
Mon Oct 20 12:06:24 2008: /tmp/croutKYelH8: Changed: file deleted
Mon Oct 20 12:06:24 2008: /tmp/last_activated.tmp: Changed: size mtime ctime
-rw-r--r-- 1 root system 583 Oct 20 12:06 /tmp/last_activated.tmp

I want to have a script to parse this output nightly. The output is consistent ( except when file is deleted, you only get one line ). I'm trying to figure out how to parse this for feeding into Excel or MySQL with these fields:

DATE/TIME = Mon Oct 20 12:07:25 2008:
FILENAME = /tmp/xlogfile:
WHAT = Changed: mtime ctime
UPDATED = -rw-r--r-- 1 root system 3206 Oct 20 12:07 /tmp/xlogfile

How can I create those divisions and put it all on one line?

 

[PHV]

man awk

Hope This Helps, PH.
FAQ219-2884
FAQ181-2886

 

[tagyourit]

I've run the following to get the diff fields

sed -n '/--------------------/,/$p/p' watchfile.log | awk -F: '{print $1$2$3$4$5$6}'

But I get *both* lines.

So before I sent it to awk, I grepped out Changed and I got only the line with my first three items. But how do I put the entire second line at the end of this output?

 

[tagyourit]

quick update ( trying not to spam the list ) but I got the following output now

Mon Oct 20 122355 2008, /tmp/xlogfile, Changed mtime ctime
Mon Oct 20 122455 2008, /tmp/dcfile001, Changed mode ctime
Mon Oct 20 122455 2008, /tmp/dcfile002, Changed uid ctime
Mon Oct 20 122555 2008, /tmp/xlogfile, Changed mtime ctime
Mon Oct 20 122755 2008, /tmp/xlogfile, Changed mtime ctime
Mon Oct 20 122955 2008, /tmp/xlogfile, Changed mtime ctime
Mon Oct 20 123156 2008, /tmp/xlogfile, Changed mtime ctime
Mon Oct 20 123356 2008, /tmp/dcfile002, Changed uid size mtime ctime

And I found awk '{printf $0}', so now I might have something, but oh boy, is it a mess now.

------------------------------------------------Mon Oct 20 12:23:55 2008: /tmp/xlogfile: Changed: mtime ctime -rw-r--r-- 1 root system 3206 Oct 20 12:23 /tmp/xlogfileMon Oct 20 12:24:55 2008: /tmp/dcfile001: Changed: mode ctime -rwxr-xr-x 1 caseyd system 6 Oct 20 12:01 /tmp/dcfile001Mon Oct 20 12:24:55 2008: /tmp/dcfile002: Changed: uid ctime -rw-r--r-- 1 caseyd system 0 Oct 20 12:00 /tmp/dcfile002Mon Oct 20 12:25:55 2008: /tmp/xlogfile: Changed: mtime ctime -rw-r--r-- 1 root system 3206 Oct 20 12:25 /tmp/xlogfileMon Oct 20 12:27:55 2008: /tmp/xlogfile: Changed: mtime ctime -rw-r--r-- 1 root system 3206 Oct 20 12:27 /tmp/xlogfileMon Oct 20 12:29:55 2008: /tmp/xlogfile: Changed: mtime ctime -rw-r--r-- 1 root system 3206 Oct 20 12:29 /tmp/xlogfile

So now I'm looking at the following in sed, but I'm getting every other line joined together

sed 'N;s/\n/ /'

Mon Oct 20 13:02:59 2008: /tmp/downlist.tmp: Changed: size mtime ctime Mon Oct 20 13:03:59 2008: /tmp/downlist.tmp: Changed: size mtime ctime
Mon Oct 20 13:04:00 2008: /tmp/xlogfile: Changed: mtime ctime Mon Oct 20 13:05:00 2008: /tmp/downlist.tmp: Changed: size mtime ctime

It's skipping my line with the file listing ( ls -l ) output??

 

[p5wizard]

[tt]printf "%s\n", $0[/tt]

or

[tt]print $0[/tt]

Or, as PHV has so eloquently put it...

[tt]man awk[/tt] ;-)



HTH,

p5wizard

 

[PHV]

Furthermore, all the stuff you're doing with sed and/or grep can be done with awk ...

Hope This Helps, PH.
FAQ219-2884
FAQ181-2886

 

[Annihilannic]

Try something like this:

awk '
        # ignore data until actual log starts
        /----/ { logstarted=1; getline; line=$0; next }
        # print previous line, store this one
        logstarted && /Changed:/ { print line; line=$0;  next }
        # append this line to the stored line
        logstarted { line=line " " $0 }
        # print the last line
        END { print line }
' inputfile

Basically it delays outputting the line until the next line is read; that way it knows when it has gathered all of the data relevant to that line. The delayed output means that you have to use an END clause to make sure the final line is printed. You'll obviously need to make some formatting changes to make the data digestable by MySQL, but the principle is the same.

Annihilannic.