Date: Fri, 20 Aug 2010 13:35:49 -0500 From: David Kelly <dkelly@hiwaay.net> To: Paul Schmehl <pschmehl_lists@tx.rr.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Any awk gurus on the list? Message-ID: <20100820183549.GB59600@Grumpy.DynDNS.org> In-Reply-To: <23BA961B74BA2B5CA8B523F9@utd65257.utdallas.edu> References: <23BA961B74BA2B5CA8B523F9@utd65257.utdallas.edu>
index | next in thread | previous in thread | raw e-mail
On Fri, Aug 20, 2010 at 12:12:20PM -0500, Paul Schmehl wrote:
>
> But when I add an FS to the script, I get odd results:
>
> # awk '!/#/ { FS=";"; for (i=1; i<=NF; i++) { if ( $i ~ /sid/)
> {mtcmsg[sid]=$i; print mtcmsg[sid]}}}' <
> /usr/local/etc/snort/rules/mtc.rules.test
> sid:299913;
> sid:52123
> sid:3001441
> sid:1444
> sid:2008120
> sid:5001684
> sid:2001683
> sid:22466
> sid:2002750
> sid:3000003
> sid:292000032
> sid:22000032
> sid:3000000
> sid:2003070
> sid:2003484
> sid:2003603
> sid:31000004
> sid:299998
>
> Why is the first value indented and not stripped of the semi-colon?
Because field breaks occur first, then the match on the left, and only
when there is a match on the left is the script in {} executed. FS is
global so it sticks around for the next line of input.
I would suggest that you not try to learn awk on the command line but
put your script in a file. Then once you have it working and know what
you are doing put it on a single command line if its simple enough.
--
David Kelly N4HHE, dkelly@HiWAAY.net
========================================================================
Whom computers would destroy, they must first drive mad.
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100820183549.GB59600>