Your data seems a bit too ambiguous to parse easily. You can't, as in your example, just split on white space, as your 'msg' data field is an unquoted string (so you'll get a seperate field for each word in the string). Your best option is to get the log file tab delimited (I'm guessing it isn't at the moment), and stop reading this post.

However, if you don't have control of the data, you'll just have to take a stab. With the assumption that the first four fileds don't have spaces in them, and that the key/value data that follows doesn't have any '='s in the data, then you could do something like this...

#!/usr/bin/perl
use Data::Dumper;

while(<DATA>) {
    chomp;
    my ($log_date, $log_time, $something, $ip_address, $keyed_data_str
+ing ) = split /\s+/, $_, 5;

    my %keyed_data_hash;
    while( $keyed_data_string =~ s/\s*(\w+)=\s*([^=]*)$/ $keyed_data_h
+ash{$1} = $2; ''/xsge) { 1 }


    print Dumper($log_date, $log_time, $something, $ip_address, \%keye
+d_data_hash);

}

__DATA__
2007-11-16 16:05:40    Local1.Alert    128.2.2.40    id=firewall time=
+"2007-11-16 16:03:37" fw=WS2000-Store 02 pri=1 proto=6(tcp) src=128.2
+.2.200 dst=128.2.100.106 mid= 1013 mtp=  2 msg=TCP connection request
+ received is invalid, dropping packet Src 23 Dst 4631 from EXT n/w ag
+ent=Firewall
[download]

OUTPUT

$VAR1 = '2007-11-16';
$VAR2 = '16:05:40';
$VAR3 = 'Local1.Alert';
$VAR4 = '128.2.2.40';
$VAR5 = {
            'msg' => 'TCP connection request received is invalid, drop
+ping packet Src 23 Dst 4631 from EXT n/w',
            'proto' => '6(tcp)',
            'time' => '"2007-11-16 16:03:37"',
            'src' => '128.2.2.200',
            'mtp' => '2',
            'mid' => '1013',
            'fw' => 'WS2000-Store 02',
            'agent' => 'Firewall',
            'id' => 'firewall',
            'pri' => '1',
            'dst' => '128.2.100.106'
        };
[download]

... which works by pulling off the easy four first fields, and then works from the end of the rest of the data, creating a key pair hash.

It's pretty ugly, but with your data, I don't see a way around it.

---

---

• Are you posting in the right place? Check out Where do I post X? to know for sure.
• Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:

  <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>

• Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
• Want more info? How to link or How to display code and escape characters are good places to start.