Help with simple log file script 1

[desperado618]

I am struggling to write a script that will display the # of times an IP address appears as a source and as a destination.

Elements:
##the user should be prompted for the ip address
echo "Enter IP"
read $ip

##the files are in *.gz format
zcat *.gz | grep $ip #displays all lines with that ip
#src=<ip> and dst=<ip>

##the src address is in position 7 and dst in position 10
awk {print $7,$10}

### count the lines
wc -l

I cant seem to put everything together. The best I have been able to accomplish is to get a total count of any line that either has the ip listed as a src or dst. Any assistance would be greatly appreciated.

 

[Annihilannic]

Try this:

zcat *.gz | awk -v IP=$ip '
    $7 == IP { src++ }
    $10 == IP { dest++ }
    END { print src,dest }
'

It should just output two numbers, the first is the number of times it appears as the source, and second is the number of times it appears as the destination.

Annihilannic.

 

[desperado618]

Thanks for the quick response. I get the following error when doing what you suggested:

/bucket/bin/jcount3: line 4: unexpected EOF while looking for matching `''
/bucket/bin/jcount3: line 9: syntax error: unexpected end of file

 

[Annihilannic]

Are you sure you copied/pasted the ' on the last line?

Annihilannic.

 

[desperado618]

Appears I had a type-o

Ok here is what I have:

syslog entry:
id=firewall time="2008-05-18 18:18:33" fw=Firewall pri=6 proto=6(tcp) src=190.42.190.241 : 1938 dst=70.98.72.150 : 25 mid=2030 mtp=11 msg="Service access request successful from ext n/w" agent=Firewall ruleguid=5462904C-E9D9-4AA9-8913-B28C88C5393A ruleorder=14
id=firewall time="2008-05-18 18:18:33" fw=Firewall pri=6 proto=6(tcp) src=59.92.170.145 : 56177 dst=70.98.72.151 : 25 mid=2030 mtp=11 msg="Service access request successful from ext n/w" agent=Firewall ruleguid=24F1A4D2-2C57-4B46-B3CD-818F0FABBFE7 ruleorder=20

Script:
cat /bucket/jc/bin/jcount3
echo -n 'Please enter the IP address: '
read ip

zcat *.gz | awk -v IP=$ip '
$7 == IP { src++ }
$10 == IP { dest++ }
END { print src,dest }
'


When I run the script I get nothing:
$ /bucket/jcandiff/bin/jcount3
Please enter the IP address: 59.92.170.145

$

 

[Annihilannic]

That's because the string 59.92.170.145 does not match src=59.92.170.145, for example. You should be able to modify the script to match the full field quite easily.

Annihilannic.

 

[desperado618]

Thanks again for your quick response:

echo -n 'Please enter the IP address: '
read ip

zcat *.gz | awk -v IP=$ip '
$7 == 'src\=IP' { src++ }
$10 == 'dst\=IP' { dest++ }
END { print src,dest }
'

The above output is only printing the entered IP to the screen.

 

[desperado618]

By the way, when i run the script withouth the 'src\=' and 'dst\=', it works fine when I specify "src=59.92.72.151"

 

[Annihilannic]

Try $7 == "src="IP instead.

By using single quotes you are actually terminating the ones that open on the earlier lines (where the awk script begins) rather than protecting that string, and the result is that awk assigns IP to a variable called src, then compares it. Using the above syntax the text "src=" is concatenated with the contents of the IP variable, then the comparison is performed.

Annihilannic.

 

[desperado618]

That did it...
Thanks again.

 

[feherke]

Hi

Here on Tek-Tips we used to thank for the received help by giving stars. Please click the

* [navy]Thank Annihilannic
for this valuable post![/navy]

at the bottom of Annihilannic's post. That way you both show your gratitude and indicate this thread as helpful.

Feherke.

http://rootshell.be/~feherke/