From owner-freebsd-questions@FreeBSD.ORG Fri Aug 20 18:35:53 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F7F810656B0 for ; Fri, 20 Aug 2010 18:35:53 +0000 (UTC) (envelope-from dkelly@Grumpy.DynDNS.org) Received: from amavis-smtp.knology.net (amavis-smtp.knology.net [75.76.199.6]) by mx1.freebsd.org (Postfix) with ESMTP id 584928FC08 for ; Fri, 20 Aug 2010 18:35:53 +0000 (UTC) Received: from localhost (amavis-smtp [127.0.0.1]) by amavis-smtp.knology.net (Postfix) with ESMTP id 5B5D88874D; Fri, 20 Aug 2010 14:35:49 -0400 (EDT) Received: from smtp12.knology.net ([75.76.199.9]) by localhost (amavis-smtp.knology.net [75.76.199.6]) (amavisd-new, port 10024) with LMTP id uRYZVsB3TTUH; Fri, 20 Aug 2010 14:35:48 -0400 (EDT) Received: from Grumpy.DynDNS.org (unknown [24.42.224.110]) by smtp12.knology.net (Postfix) with ESMTP id CB9AF5200020; Fri, 20 Aug 2010 14:35:37 -0400 (EDT) Received: by Grumpy.DynDNS.org (Postfix, from userid 928) id 4A10028435; Fri, 20 Aug 2010 13:35:49 -0500 (CDT) Date: Fri, 20 Aug 2010 13:35:49 -0500 From: David Kelly To: Paul Schmehl Message-ID: <20100820183549.GB59600@Grumpy.DynDNS.org> References: <23BA961B74BA2B5CA8B523F9@utd65257.utdallas.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <23BA961B74BA2B5CA8B523F9@utd65257.utdallas.edu> User-Agent: Mutt/1.4.2.3i Cc: FreeBSD Questions Subject: Re: Any awk gurus on the list? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Aug 2010 18:35:53 -0000 On Fri, Aug 20, 2010 at 12:12:20PM -0500, Paul Schmehl wrote: > > But when I add an FS to the script, I get odd results: > > # awk '!/#/ { FS=";"; for (i=1; i<=NF; i++) { if ( $i ~ /sid/) > {mtcmsg[sid]=$i; print mtcmsg[sid]}}}' < > /usr/local/etc/snort/rules/mtc.rules.test > sid:299913; > sid:52123 > sid:3001441 > sid:1444 > sid:2008120 > sid:5001684 > sid:2001683 > sid:22466 > sid:2002750 > sid:3000003 > sid:292000032 > sid:22000032 > sid:3000000 > sid:2003070 > sid:2003484 > sid:2003603 > sid:31000004 > sid:299998 > > Why is the first value indented and not stripped of the semi-colon? Because field breaks occur first, then the match on the left, and only when there is a match on the left is the script in {} executed. FS is global so it sticks around for the next line of input. I would suggest that you not try to learn awk on the command line but put your script in a file. Then once you have it working and know what you are doing put it on a single command line if its simple enough. -- David Kelly N4HHE, dkelly@HiWAAY.net ======================================================================== Whom computers would destroy, they must first drive mad.