Re: Re: parse a log file

ORIGINAL INPUT:

SEC,6/21/2001,11:48:01,Security,560,Success,Object Access ,S-1-5-21-58
+3907252-1958367476-682003330-1001,CISERFS1,Object Open:^`     Object 
+Server:    Security^`     Object Type:    File^`     Object Name:    
+\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume2\CISER\Tank\c
+ompressed\cret\003\ret72.mdse4.gz^`     New Handle ID:    2760^`     
+Operation ID:    {0 3914260}^`     Process ID:    1056^`     Primary 
+User Name:    CISERFS1$^`     Primary Domain:    CTC_ITH^`     Primar
+y Logon ID:    (0x0 0x3E7)^`     Client User Name:    IUSR_CISERFS1^`
+     Client Domain:    CISERFS1^`     Client Logon ID:    (0x0 0x2E17
+41)^`     Accesses        READ_CONTROL ^`            SYNCHRONIZE ^`  
+          ReadData (or ListDirectory) ^`            ReadEA ^`        
+    ReadAttributes ^`            ^`     Privileges        -^`
[download]

Comment on Re: Re: parse a log file Download Code

Replies are listed 'Best First'.
Re: Re: Re: parse a log file by particle (Vicar) on Jul 03, 2001 at 22:31 UTC
okay, i won't give it all away, but here's a good start. while(<FILE>) { my @x = split /,\|\^`/; next unless ($x[4] =~ /560/); #we only want the files with 560 print join("\n",@x), "\n"; # debugging print line - remove in prod +uction unless($x[16] =~ /Primary User Name: CISERFS1/) { #only match t +his case print OUTPUT "$x[1] $x[2] $x[12] $x[16] \n"; # or whatever } # unless } # while [download] by the way, you should get a login, so we know who you are when you come back! ~Particle Update: i guess i forgot about the '\' parsing, but i'm not sure just what you want to do. you can split on /\\/, and return the fields you want, put together with join "\\", much like i did in the debug print statement.	[reply] [d/l]

Replies are listed 'Best First'.

Re: Re: Re: parse a log file
by particle (Vicar) on Jul 03, 2001 at 22:31 UTC

while(<FILE>) {
    my @x = split /,|\^`/;
    next unless ($x[4] =~ /560/);  #we only want the files with 560
    print join("\n",@x), "\n"; # debugging print line - remove in prod
+uction
    unless($x[16] =~ /Primary User Name:    CISERFS1/) { #only match t
+his case
        print OUTPUT "$x[1] $x[2] $x[12] $x[16] \n"; # or whatever
    } # unless
} # while
[download]

~Particle

Update: i guess i forgot about the '\' parsing, but i'm not sure just what you want to do. you can split on /\\/, and return the fields you want, put together with join "\\", much like i did in the debug print statement.

[reply]
[d/l]