in reply to Match a Log Entry Only If a Certain Keyword is not Present
The scheme below can be expanded to any combination of "sent" and "created" that you need although the logic needs to change a bit if you want ip's that never had either "sent" or "created".
#!/usr/bin/perl use strict; use warnings; my %hash; my $sent_bits = 1; # binary 0001 my $created_bits = 2; # binary 0010 while(<DATA>) { next if /^\s*$/; #skip blank lines my ($srcip, $action_field) = (split /\s+/,$_)[1,4]; (my $action) = $action_field =~ m/^\[\d+\](\w+)/; $hash{$srcip} |= $sent_bits if ($action eq "sent"); $hash{$srcip} |= $created_bits if ($action eq "created"); } foreach my $sent_or_created (keys %hash) { print "$sent_or_created\n" if ($hash{$sent_or_created} == $sent_bits); } #prints: 192.168.7.16 __DATA__ ex100525.log:09:42:26 192.168.66.176 webcountry 192.168.0.166 [5933]cr +eated /140NOE77111_V460_+IE38/FTP+script/put771.ftp 226 0 ex100525.log:09:42:27 192.168.66.176 webcountry 192.168.0.166 [5933]cr +eated /140NOE77111_V460_+IE38/FTP+script/update_noe77111_module.doc 2 +26 0 ex100525.log:09:42:27 192.168.66.176 webcountry 192.168.0.166 [5933]cr +eated /140NOE77111_V460_+IE38/FTP+script/upfwnoe.bat 226 0 ex100525.log:09:42:27 192.168.66.176 webcountry 192.168.0.166 [5933]CW +D /140NOE77111_V460_+IE38/Release+Note 550 2 ex100525.log:09:42:27 192.168.66.176 webcountry 192.168.0.166 [5933]CW +D /140NOE77111_V460_+IE38/Release+Note 250 0 ex100525.log:09:42:27 192.168.66.176 webcountry 192.168.0.166 [5933]se +nt /140NOE77111_V460_+IE38/Release+Note/RN_140NOE77111_V46.doc 226 0 ex100525.log:09:42:27 192.168.7.16 webcountry 192.168.0.166 [5933]sent + /140NOE77111+V4.6/140NOE77111_V460_+IE38 250 0 ex100525.log:09:42:27 192.168.7.16 webcountry 192.168.0.166 [5933]CWD +/140NOE77111+V4.6/140NOE77111_V460_+IE38 250 0
|
|---|