in reply to Pull users with multiple search

See perlintro sections Files and I/O and Regular expressions/ Simple matching paragraph, perlfaq6 and perlrequick

Replies are listed 'Best First'.
Re^2: Pull users with multiple search
by johnprince1980 (Initiate) on Jun 07, 2013 at 10:15 UTC
    Thanks for all your reply.

    I am not very much familiar with Perl, however while going though internet, i felt that Perl will be the best tool to implement this.

    As suggested by 'smls', i really like the suggestion. It will really a lot of effort to put that.

    The hourly processing is because we do not want to scan the entire log everytime, we can schedule cronjob to perform hourly scan.

    If anyone can put some sample code, that will be great.

    Thanks
[reply]

      So you are really looking for a programmer to do the job for you ... ;(

      Anyways: your requirement "last hour" can be ignored, as your log file only covers the last hour. So it is only

      1. Link user to connection.
      2. Count "SRCH=Q" per connection.
      If you are looking for help here it would be good to
      1. Provide some of your own attempts.
      2. Provide a bigger sample to let people test code.
      The following code is not production ripe as it depends on a number of assumptions based on your limited sample. 

      use strict;
use warnings;

my %user;
my %conn;

while(<DATA>){
        my ($conn) = /conn=(\d+)\s/;
        my ($uid) = /uid=(.*?),/;
        $uid ? $user{$conn}=$uid : $conn{$conn}++;
}

for my $key ( keys %conn ) {
        print $user{$key}//"Unknown user";
        print ": $conn{$key} times in logfile\n";
}
__DATA__
[04/Jun/2013:13:06:13 -0600] conn=13570 op=14 msgId=13 - BIND dn="uid=
+xyz123,ou=People,o=xyz.com" method=128 version=3
[04/Jun/2013:15:06:13 -0600] conn=13570 op=14 msgId=15 - RESULT err=0 
+tag=101 nentries=48030 etime=139 SRCH=Q
[04/Jun/2013:15:06:13 -0600] conn=13570 op=14 msgId=15 - RESULT err=0 
+tag=101 nentries=48030 etime=139 SRCH=Q
[04/Jun/2013:15:06:13 -0600] conn=13571 op=14 msgId=15 - RESULT err=0 
+tag=101 nentries=48030 etime=139 SRCH=Q

      [download]
[reply]
[d/l]
        Hi All,

        As suggested, I tried to work on myself and have come up with following code, so far I have implemented the following steps :

        1. Define two hashes: %users and %searches

        2. Process the logfile line by line. For each line, use a regex to see if it matches the BIND or RESULT form, and extract the relevant fields ($conn, $uid, etc.) if it does. Also:

        2a.If it is a BIND line: Add an entry to the %users hash, with $conn as the key and $uid as the value.

        2b. If it is a RESULT line: Add relevant information (about the timestamp of the search) to the value of the %searches entry that belongs to the key $conn.

        At this point, I am not sure how to compare the three occurrence. Please help me. 

         

#!/usr/bin/perl
#use warnings;
#use strict;
use 5.010;

open(IN, "logs.txt") or die "can not open file";

my %users;
my %searches;

while (<IN>){
   if (/BIND/){
           my ($conn) = /conn=(\d+)\s/;
           my ($uid) = /uid=(.*?),/;
           $users{$conn} .= exists $users{$conn} ? " $uid, " : $uid;
           print %users;
           }
           if (/SRCH=Q/){
           my ($conn1) = /conn=(\d+)\s/;
           my (@line) = split(" ",$_);
           my $timestamp = "$line[0]\n";
           $searches{$conn1} = exists $searches{$conn1} ? "  $timestam
+p," : $timestamp;
           print %searches;
   }
}

        [download]
[reply]
[d/l]

In Section Seekers of Perl Wisdom