From owner-freebsd-questions@FreeBSD.ORG Wed Aug 27 14:13:58 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8EC3B1065670 for ; Wed, 27 Aug 2008 14:13:58 +0000 (UTC) (envelope-from ws@au.dyndns.ws) Received: from ipmail05.adl2.internode.on.net (ipmail05.adl2.internode.on.net [203.16.214.145]) by mx1.freebsd.org (Postfix) with ESMTP id 198BC8FC12 for ; Wed, 27 Aug 2008 14:13:57 +0000 (UTC) (envelope-from ws@au.dyndns.ws) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ah0BAAf+tEiWZWdv/2dsb2JhbAAIuVeBaIMu X-IronPort-AV: E=Sophos;i="4.32,279,1217773800"; d="scan'208";a="191627465" Received: from ppp103-111.static.internode.on.net (HELO [192.168.1.157]) ([150.101.103.111]) by ipmail05.adl2.internode.on.net with ESMTP; 27 Aug 2008 23:43:56 +0930 From: Wayne Sierke To: Martin McCormick In-Reply-To: <200808271325.m7RDP28b044255@dc.cis.okstate.edu> References: <200808271325.m7RDP28b044255@dc.cis.okstate.edu> Content-Type: text/plain; charset=UTF-8 Date: Wed, 27 Aug 2008 23:43:52 +0930 Message-Id: <1219846432.49053.237.camel@predator-ii.buffyverse> Mime-Version: 1.0 X-Mailer: Evolution 2.22.2 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re: Regular Expression Trouble X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2008 14:13:58 -0000 On Wed, 2008-08-27 at 08:25 -0500, Martin McCormick wrote: > My thanks to several people who have provided great suggestions > and an apology for not being clear on the log data I am mining > for MAC addresses. It is syslog and a typical line looks like: > > Aug 26 20:45:36 dh1 dhcpd: DHCPACK on 10.198.67.116 to 00:12:f0:88:97:d6 > (peaster-laptop) via 10.198.71.246 > > That was one line broken to aid in emailing, but that's what > types of lines are involved. The MAC appears at different field > locations depending on the type of event being logged so awk is > perfect for certain types of lines, but it misses others and no > one awk expression gets them all. The way to deal with that is to specify a pattern to match something that distinguishes each form of log line that you want to extract from. With the following (contrived) log data: Aug 26 20:45:36 dh1 dhcpd: DHCPDISCOVER from 00:12:f0:88:97:d6 (peaster-laptop) via eth0 Aug 26 20:45:36 dh1 dhcpd: DHCPACK on 10.198.67.116 to 00:12:f0:88:97:d6 (peaster-laptop) via 10.198.71.246 use awk with a script such as: awk '/DHCPDISCOVER/ {print $8} /DHCPACK/ {print $10}' logfile Wayne