starter question to filter out text!

[simalt]

Could you please tell me how I could extract all the records from a text file with say the 11 field as being 10000 e.g $11.

Sample::::
2/12/2003 14:15:13 4 2 1053 MSExchangeDS domain\administrator server /o=abc/ou=123/cn=Recipients/cn=test1234. 10000

The 10,000 may be a last field in each record or is $10

I want the file to loop to display all these to another out.txt file with header fields attached to new file:
e.g following as being first record for the header file under which the results will display
Type Date Time Source Category Event User Computer Description

I have tried various ways but I don't seem to be getting the desired result since I am no expert at this!
e.g
num = "1053"
num2= "10000"
{
if ($5==num && $10==num2)
{Print $0}
else
exit 1}

It only gives me two records which are both wrong, even though $10 is the location of the "10000" field!

Perhaps there is a better way with a while loop or something. I think my logic is wrong.

Thanks for your help.

Simon

 

[CaKiwi]

I don't undersand exactly what you want. Is the 10000 value in the 10th field, 11th field, last field or where? Your program is testing the 5th field but you don't mention it anywhere in your description. Post more lines of input data and the output you expect. CaKiwi

 

[simalt]

Hi CaKiwi,

Yes you are right my programme is testing for the 5th field which contains the value "1035" and also the 10th field which contains the value "10000", sorry I put 11th field by mistake, I check if both are true in each event record and if so then I wish to extract all the values of records which contain these two values to be true so e.g if I had say 5 events of these values out of a log of 900 records then I only wish to extract these 5 events with the heading which I guess I can pad at top myself with an echo statement or so e.g
echo Type Date Time Source Category Event User Computer Description

I am not sure if there is a better way of formatting this line as a header row in the out file with awk, the "event" 1053 is the 5th value ($5) I am checking for and "Description" field contains two values spaced out one is string which I am not testing and the $10 is the numeric value which I am testing and is egual to 10000. Although there are many other events with the value of 1053, I only need the ones that have the description part numeric equal to 10,000 not any other number as it can generate a 4, or a 1 etc so that is why I need to do a test with the && opeartor to get a match of "1053 and 10,000" to equal true to be extracted etc.

Hope this helps

Thanks

Simon

 

[CaKiwi]

Ok, this should do it

$5==1053 && $10==10000{print}

Since print is the default action this can be simplified to

$5==1053 && $10==10000

To print out the header, use a BEGIN pattern

BEGIN{print "Type Date Time Source...."}
$5==1053 && $10==10000
CaKiwi

 

[CaKiwi]

Or, if the header is the first line of the input file

NR==1{print;next}
$5==1053 && $10==10000 CaKiwi

 

[simalt]

Hi CaKiwi,

Thanks, this does indeed work to pick up the first record it comes to but it does not pick up the rest and I think I have found out the reason why.

There are at least 5 records in the log file and it only pulls 1 and then stops but I found the 10,000 record does not always occur on the $10th field, in some places it occurs in $11 field so I was wondering if it is better to read the entire record in and do a pattern match or an if search for 10,000 and print those fields as if the account it displays has spaces it then becomes $11 e.g.

login\simon smith 10000 is treated as three fields but
login\purbick 10000 is treated as two fields so this is where I don't get all the records out so I was considering is it worth a pattern match on whole record and how would it be done.

Thanks very much

Simon

 

[simalt]

Hi CaKiwi,

This is what I have used to extract all 5 records successfuly.


BEGIN {print "computer one two three...n"}
/1000/ { print $0 }

Thanks for your help

Simon

 

[CaKiwi]

Glad you got it working. If the 10000 is always the last field, you could use

BEGIN {print "computer one two three...n"}
$NF==10000

That way you wouldn't get extra records printed if one of the other fields happened to contain 10000, CaKiwi