This is a (very) small dump as text of Windows event logs (new format). Every value field can be different, but some might be the same. I want to analize this and report how many instances of errors there are per log type.Event[0]: Log Name: Microsoft-Windows-GroupPolicy/Operational Source: Microsoft-Windows-GroupPolicy Date: 2014-06-26T13:58:04.290 Event ID: 7320 Task: N/A Level: Error Opcode: Info Keyword: N/A User: S-1-5-18 User Name: NT AUTHORITY\SYSTEM Computer: hostname Description: Error: Computer determined to be not in a site. Error code 0x77F. Event[1]: Log Name: Microsoft-Windows-GroupPolicy/Operational Source: Microsoft-Windows-GroupPolicy Date: 2014-06-26T12:32:30.009 Event ID: 7320 Task: N/A Level: Error Opcode: Info Keyword: N/A User: S-1-5-21-1024758968-3939101906-3775097912-6653 User Name: whatever Computer: hostname Description: Error: Computer determined to be not in a site. Error code 0x77F.
So I can save the data I need in a hash of hashes for later processing Ideally I would rather use the HoH like this:use strict; use warnings; # global vars my ( $hash_ref, $logname, $source, $date, $evt_id, $error, $descriptio +n) ; # we'll increase this after every line in the while loop my $count = 1; # get every line and save it in $line. # then separate the lines in $key/$value pairs divided by ':' while ( my $line = <DATA> ) { # a paragragh is a line $/ = ""; chomp $line; my @line = split( /[\n\r]/, $line ); for (@line) { next if $_ =~ /^\w+.*$/; next if $_ =~ /\s+Description.*$/; my ( $key, $value ) = split(/: /); if ( $key =~ m/^\s+Log Name.*$/ ) { $logname = $value; } elsif ( $key =~ m/^\s+Source.*$/ ) { $source = $value; } elsif ( $key =~ m/^\s+Date.*$/ ) { $date = $value; } elsif ( $key =~ m/^\s+Event ID.*$/ ) { $evt_id = $value; } elsif ( $key =~ m/^\s+Level.*$/ ) { $error = $value; } $hash_ref->{$count} = { Logname => $logname, Source => $source, Date => $date, "Event ID" => $evt_id, Error => $error, }; } $count++; } use Data::Dumper; print Dumper $hash_ref; __DATA__ here is the dump with the format at the beginning
but that does not work because it overwrites every event of the same logname and only the last event remains. Is there a simpler way of achieving what I want?$hash_ref->{$logname} = { Logname => $logname, Source => $source, Date => $date, "Event ID" => $evt_id, Error => $error, };
And bonus question: right now I discard the Description value because it appears on a different line after the ':'. Is there a way of getting this value as well. This is not very important because we have the event id and the logname, so we can deduce the value but it would be nice to have. Thanks!
In reply to question on data structure by natxo
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |