in reply to Re^2: Pull users with multiple search
in thread Pull users with multiple search

So you are really looking for a programmer to do the job for you ... ;(

Anyways: your requirement "last hour" can be ignored, as your log file only covers the last hour. So it is only

  1. Link user to connection.
  2. Count "SRCH=Q" per connection.
If you are looking for help here it would be good to
  1. Provide some of your own attempts.
  2. Provide a bigger sample to let people test code.
The following code is not production ripe as it depends on a number of assumptions based on your limited sample. 

use strict;
use warnings;

my %user;
my %conn;

while(<DATA>){
        my ($conn) = /conn=(\d+)\s/;
        my ($uid) = /uid=(.*?),/;
        $uid ? $user{$conn}=$uid : $conn{$conn}++;
}

for my $key ( keys %conn ) {
        print $user{$key}//"Unknown user";
        print ": $conn{$key} times in logfile\n";
}
__DATA__
[04/Jun/2013:13:06:13 -0600] conn=13570 op=14 msgId=13 - BIND dn="uid=
+xyz123,ou=People,o=xyz.com" method=128 version=3
[04/Jun/2013:15:06:13 -0600] conn=13570 op=14 msgId=15 - RESULT err=0 
+tag=101 nentries=48030 etime=139 SRCH=Q
[04/Jun/2013:15:06:13 -0600] conn=13570 op=14 msgId=15 - RESULT err=0 
+tag=101 nentries=48030 etime=139 SRCH=Q
[04/Jun/2013:15:06:13 -0600] conn=13571 op=14 msgId=15 - RESULT err=0 
+tag=101 nentries=48030 etime=139 SRCH=Q

[download]

Replies are listed 'Best First'.
Re^4: Pull users with multiple search
by johnprince1980 (Initiate) on Jun 10, 2013 at 05:42 UTC
    Hi All,

    As suggested, I tried to work on myself and have come up with following code, so far I have implemented the following steps :

    1. Define two hashes: %users and %searches

    2. Process the logfile line by line. For each line, use a regex to see if it matches the BIND or RESULT form, and extract the relevant fields ($conn, $uid, etc.) if it does. Also:

    2a.If it is a BIND line: Add an entry to the %users hash, with $conn as the key and $uid as the value.

    2b. If it is a RESULT line: Add relevant information (about the timestamp of the search) to the value of the %searches entry that belongs to the key $conn.

    At this point, I am not sure how to compare the three occurrence. Please help me. 

     

#!/usr/bin/perl
#use warnings;
#use strict;
use 5.010;

open(IN, "logs.txt") or die "can not open file";

my %users;
my %searches;

while (<IN>){
   if (/BIND/){
           my ($conn) = /conn=(\d+)\s/;
           my ($uid) = /uid=(.*?),/;
           $users{$conn} .= exists $users{$conn} ? " $uid, " : $uid;
           print %users;
           }
           if (/SRCH=Q/){
           my ($conn1) = /conn=(\d+)\s/;
           my (@line) = split(" ",$_);
           my $timestamp = "$line[0]\n";
           $searches{$conn1} = exists $searches{$conn1} ? "  $timestam
+p," : $timestamp;
           print %searches;
   }
}

    [download]
[reply]
[d/l]
      Hello, Any comment on my response? Thanks.
[reply]

In Section Seekers of Perl Wisdom