So at which part of implementing that logic do you get stuck?

EDIT:

In case you don't know where to even begin, here's one possible recipe for implementing this task:

  1. Define two hashes: %users and %searches
  2. Process the logfile line by line. For each line, use a regex to see if it matches the BIND or RESULT form, and extract the relevant fields ($conn, $uid, etc.) if it does. Also:
    1. If it is a BIND line:
      1. Add an entry to the %users hash, with $conn as the key and $uid as the value.
    2. If it is a RESULT line:
      1. Add relevant information (about the timestamp of the search) to the value of the %searches entry that belongs to the key $conn.
      2. Check the accumulated information in said hash value, for whether the condition of "three occurrences within an hour" has been met. If so, use the %users hash to look up the UID that belongs to the $conn in question and run the `add group` command for it.
      3. Remove information from said hash value that is no longer required.

Of course, what exactly "add/check/remove relevant information" means in 2.b.i. - 2.b.iii., depends on the exact requirements of what "three occurrences within an hour" should mean. See hdb's answer for details.

Also, this recipe assumes that the BIND line always comes before the corresponding RESULT lines, and that a little extra memory overhead is acceptable in order optimize speed. If either of these requirements is not given, a better way to do it might be to do a first parsing run through the logfile for the RESULT lines only, and then a second one for only those BIND lines that are actually needed.

For general help on how to parse a file and use regexes, see the links in Anonymous Monk's answer.

In reply to Re: Pull users with multiple search by smls
in thread Pull users with multiple search by johnprince1980

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.