From owner-freebsd-questions@FreeBSD.ORG Wed Aug 27 15:29:06 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C7B01065678 for ; Wed, 27 Aug 2008 15:29:06 +0000 (UTC) (envelope-from paul+fbsd@it.ca) Received: from mail.it.ca (mail.it.ca [216.235.7.67]) by mx1.freebsd.org (Postfix) with ESMTP id DF6318FC16 for ; Wed, 27 Aug 2008 15:29:05 +0000 (UTC) (envelope-from paul+fbsd@it.ca) Received: from mail.it.ca (paul@mail [216.235.7.67]) by mail.it.ca (8.13.3/8.13.3) with ESMTP id m7RFT1f7061210; Wed, 27 Aug 2008 11:29:01 -0400 (EDT) (envelope-from paul+fbsd@it.ca) DomainKey-Signature: a=rsa-sha1; s=a; d=it.ca; c=nofws; q=dns; h=received:x-authentication-warning:date:from:to:cc:subject: message-id:reply-to:references:mime-version:content-type: content-disposition:in-reply-to:user-agent; b=lP1Sx943mimjeuRi5eoVamPx93CUSpoJQykyn7vE8bfkHzwkEnniS99aCsbyQ15Dm 5fZXQfVDPBS75iOIBAZdL/gsWLYI9lhy2s8dOtvMjA3zZDGU2gRV8/2Rj7oj9r/ Received: (from paul@localhost) by mail.it.ca (8.13.3/8.13.3/Submit) id m7RFT1fY061209; Wed, 27 Aug 2008 11:29:01 -0400 (EDT) (envelope-from paul+fbsd@it.ca) X-Authentication-Warning: mail.it.ca: paul set sender to paul+fbsd@it.ca using -f Date: Wed, 27 Aug 2008 11:29:01 -0400 From: Paul Chvostek To: Martin McCormick Message-ID: <20080827152900.GB30783@it.ca> References: <200808271325.m7RDP28b044255@dc.cis.okstate.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200808271325.m7RDP28b044255@dc.cis.okstate.edu> User-Agent: Mutt/1.5.12-2006-07-14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.it.ca [216.235.7.67]); Wed, 27 Aug 2008 11:29:02 -0400 (EDT) Cc: freebsd-questions@freebsd.org Subject: Re: Regular Expression Trouble X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2008 15:29:06 -0000 Hi Martin. On Wed, Aug 27, 2008 at 08:25:02AM -0500, Martin McCormick wrote: > > Aug 26 20:45:36 dh1 dhcpd: DHCPACK on 10.198.67.116 to 00:12:f0:88:97:d6 > (peaster-laptop) via 10.198.71.246 > > That was one line broken to aid in emailing, but that's what > types of lines are involved. The MAC appears at different field > locations depending on the type of event being logged so awk is > perfect for certain types of lines, but it misses others and no > one awk expression gets them all. While I agree with others that awk should be used with explicit recognition of the particular lines, you can still snatch everything with sed if you want to. In FreeBSD, sed supported extended regex, so: sed -nE 's/.*([0-9a-f]{2}(:[0-9a-f]{2}){5}).*/\1/p' The "-n" option tells sed not to print the line unless instructed to explicitely, and the "p" modifier at the end is that instruction. As for the regex ... well, that's straightforward enough. > This is an attempt to isolate every MAC address that > appears and then sort and count them to see who is having > trouble or, in some cases, is causing trouble. Then you still may want to use awk for some of that... cat /var/log/dhcpd.log | \ sed -nE 's/.*([0-9a-f]{2}(:[0-9a-f]{2}){5}).*/\1/p' | \ awk ' { a[$1]++; } END { for(i in a){ printf("%7.0f\t%s\n", a[i], i); } } ' | sort -nr You can join the lines into a single command line if you like, or toss it as-is into a tiny shell script. Awk is forgiving about whitespace. You should theoretically be able to feed the same regex to awk, but I've found that awk's eregex support sometimes doesn't work as I'd expect. Hope this helps. p -- Paul Chvostek it.canada http://www.it.ca/