Extract information using sed regex
I am using sed regex to extract some information from a log file in order to use it further for analysis. I created a below command but it wont works for me.
sed -e 's/([0-9] [0-9]*.[0-9]*.[0-9]*)[^@]* ([^@]*@[^[:spa
ce:]]*).*F=<([^ ]*)>.*I=[([0-9]+.[0-9]+.)].*$/1t2/' logs
Logs:
2017-02-13 10:31:55 1cd9Ev-003XiE-Sx ** rwackow@sjmcpk.org F=<ceo@ccp.com.in> R=dkim_lookuphost T=dkim_remote_smtp H=ah2.inboundmx.com [216.82.242.115] I=[147.75.228.64] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes DN="/C=US/ST=California/L=Mountain View/O=Symantec Corporation/OU=Symantec.cloud CN=mail132.messagelabs.com": SMTP error from remote mail server after end of data: 553-Message filtered. Refer to the Troubleshooting page atn553-http://www.symanteccloud.com/troubleshooting for moren553 information. (#5.7.1)
2017-02-14 10:01:40 1cd9Ev-003XiE-Sx ** solowki@pknic.com.in F=<ceo@ccffp.org> R=dkim_lookuphost T=dkim_remote_smtp H=ah2.inboundmx.com [216.82.242.115] I=[14.176.22.221] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes DN="/C=US/ST=California/L=Mountain View/O=Symantec Corporation/OU=Symantec.cloud CN=mail132.messagelabs.com": 501 Connection rejected by policy. Refer to the Troubleshooting page atn501-http://www.symanteccloud.com/troubleshooting for moren501 information. (#5.7.1)
I wanted to extract the following fields from above logs:
Timestamp EmailTo: EmailFrom: IPAddress: ErrorCodes:
2017-02-13 10:31:55 rwackow@sjmcpk.org ceo@ccp.com.in 147.75.228.64 553
2017-02-14 10:01:40 solowki@pknic.com.in ceo@ccffp.org 14.176.22.221 501
linux sed
add a comment |
I am using sed regex to extract some information from a log file in order to use it further for analysis. I created a below command but it wont works for me.
sed -e 's/([0-9] [0-9]*.[0-9]*.[0-9]*)[^@]* ([^@]*@[^[:spa
ce:]]*).*F=<([^ ]*)>.*I=[([0-9]+.[0-9]+.)].*$/1t2/' logs
Logs:
2017-02-13 10:31:55 1cd9Ev-003XiE-Sx ** rwackow@sjmcpk.org F=<ceo@ccp.com.in> R=dkim_lookuphost T=dkim_remote_smtp H=ah2.inboundmx.com [216.82.242.115] I=[147.75.228.64] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes DN="/C=US/ST=California/L=Mountain View/O=Symantec Corporation/OU=Symantec.cloud CN=mail132.messagelabs.com": SMTP error from remote mail server after end of data: 553-Message filtered. Refer to the Troubleshooting page atn553-http://www.symanteccloud.com/troubleshooting for moren553 information. (#5.7.1)
2017-02-14 10:01:40 1cd9Ev-003XiE-Sx ** solowki@pknic.com.in F=<ceo@ccffp.org> R=dkim_lookuphost T=dkim_remote_smtp H=ah2.inboundmx.com [216.82.242.115] I=[14.176.22.221] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes DN="/C=US/ST=California/L=Mountain View/O=Symantec Corporation/OU=Symantec.cloud CN=mail132.messagelabs.com": 501 Connection rejected by policy. Refer to the Troubleshooting page atn501-http://www.symanteccloud.com/troubleshooting for moren501 information. (#5.7.1)
I wanted to extract the following fields from above logs:
Timestamp EmailTo: EmailFrom: IPAddress: ErrorCodes:
2017-02-13 10:31:55 rwackow@sjmcpk.org ceo@ccp.com.in 147.75.228.64 553
2017-02-14 10:01:40 solowki@pknic.com.in ceo@ccffp.org 14.176.22.221 501
linux sed
yeah, runawk '{t=$0;sub(/.*\n/, "", t);sub(/ .*/, "", t);print $1, $2, $5, substr($6, 4, length($6)-4), substr($11, 4, length($11)-4), t}'
... thet, sub, sub
extracts the error code, the rest is self-explanatory - print the respective fields except for$6
and$11
where it extracts only part of the field and prints the result
– don_crissti
Feb 14 '17 at 19:13
I am not having any other answer except thanking you. If you don't mind let me know how can i master in awk and sed ?
– blaCkninJa
Feb 14 '17 at 19:21
well, read the manuals (both gnu sed and gnu awk manuals can be downloaded as pdf) & practice at the same time; just like with anything else in life, you have to crawl before you walk :) ... so start with simple tasks and work your way up as your skills improve
– don_crissti
Feb 14 '17 at 19:27
Great food for thought :)
– blaCkninJa
Feb 14 '17 at 19:32
add a comment |
I am using sed regex to extract some information from a log file in order to use it further for analysis. I created a below command but it wont works for me.
sed -e 's/([0-9] [0-9]*.[0-9]*.[0-9]*)[^@]* ([^@]*@[^[:spa
ce:]]*).*F=<([^ ]*)>.*I=[([0-9]+.[0-9]+.)].*$/1t2/' logs
Logs:
2017-02-13 10:31:55 1cd9Ev-003XiE-Sx ** rwackow@sjmcpk.org F=<ceo@ccp.com.in> R=dkim_lookuphost T=dkim_remote_smtp H=ah2.inboundmx.com [216.82.242.115] I=[147.75.228.64] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes DN="/C=US/ST=California/L=Mountain View/O=Symantec Corporation/OU=Symantec.cloud CN=mail132.messagelabs.com": SMTP error from remote mail server after end of data: 553-Message filtered. Refer to the Troubleshooting page atn553-http://www.symanteccloud.com/troubleshooting for moren553 information. (#5.7.1)
2017-02-14 10:01:40 1cd9Ev-003XiE-Sx ** solowki@pknic.com.in F=<ceo@ccffp.org> R=dkim_lookuphost T=dkim_remote_smtp H=ah2.inboundmx.com [216.82.242.115] I=[14.176.22.221] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes DN="/C=US/ST=California/L=Mountain View/O=Symantec Corporation/OU=Symantec.cloud CN=mail132.messagelabs.com": 501 Connection rejected by policy. Refer to the Troubleshooting page atn501-http://www.symanteccloud.com/troubleshooting for moren501 information. (#5.7.1)
I wanted to extract the following fields from above logs:
Timestamp EmailTo: EmailFrom: IPAddress: ErrorCodes:
2017-02-13 10:31:55 rwackow@sjmcpk.org ceo@ccp.com.in 147.75.228.64 553
2017-02-14 10:01:40 solowki@pknic.com.in ceo@ccffp.org 14.176.22.221 501
linux sed
I am using sed regex to extract some information from a log file in order to use it further for analysis. I created a below command but it wont works for me.
sed -e 's/([0-9] [0-9]*.[0-9]*.[0-9]*)[^@]* ([^@]*@[^[:spa
ce:]]*).*F=<([^ ]*)>.*I=[([0-9]+.[0-9]+.)].*$/1t2/' logs
Logs:
2017-02-13 10:31:55 1cd9Ev-003XiE-Sx ** rwackow@sjmcpk.org F=<ceo@ccp.com.in> R=dkim_lookuphost T=dkim_remote_smtp H=ah2.inboundmx.com [216.82.242.115] I=[147.75.228.64] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes DN="/C=US/ST=California/L=Mountain View/O=Symantec Corporation/OU=Symantec.cloud CN=mail132.messagelabs.com": SMTP error from remote mail server after end of data: 553-Message filtered. Refer to the Troubleshooting page atn553-http://www.symanteccloud.com/troubleshooting for moren553 information. (#5.7.1)
2017-02-14 10:01:40 1cd9Ev-003XiE-Sx ** solowki@pknic.com.in F=<ceo@ccffp.org> R=dkim_lookuphost T=dkim_remote_smtp H=ah2.inboundmx.com [216.82.242.115] I=[14.176.22.221] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=yes DN="/C=US/ST=California/L=Mountain View/O=Symantec Corporation/OU=Symantec.cloud CN=mail132.messagelabs.com": 501 Connection rejected by policy. Refer to the Troubleshooting page atn501-http://www.symanteccloud.com/troubleshooting for moren501 information. (#5.7.1)
I wanted to extract the following fields from above logs:
Timestamp EmailTo: EmailFrom: IPAddress: ErrorCodes:
2017-02-13 10:31:55 rwackow@sjmcpk.org ceo@ccp.com.in 147.75.228.64 553
2017-02-14 10:01:40 solowki@pknic.com.in ceo@ccffp.org 14.176.22.221 501
linux sed
linux sed
edited 2 days ago
Rui F Ribeiro
39.3k1479131
39.3k1479131
asked Feb 14 '17 at 18:11
blaCkninJablaCkninJa
1251111
1251111
yeah, runawk '{t=$0;sub(/.*\n/, "", t);sub(/ .*/, "", t);print $1, $2, $5, substr($6, 4, length($6)-4), substr($11, 4, length($11)-4), t}'
... thet, sub, sub
extracts the error code, the rest is self-explanatory - print the respective fields except for$6
and$11
where it extracts only part of the field and prints the result
– don_crissti
Feb 14 '17 at 19:13
I am not having any other answer except thanking you. If you don't mind let me know how can i master in awk and sed ?
– blaCkninJa
Feb 14 '17 at 19:21
well, read the manuals (both gnu sed and gnu awk manuals can be downloaded as pdf) & practice at the same time; just like with anything else in life, you have to crawl before you walk :) ... so start with simple tasks and work your way up as your skills improve
– don_crissti
Feb 14 '17 at 19:27
Great food for thought :)
– blaCkninJa
Feb 14 '17 at 19:32
add a comment |
yeah, runawk '{t=$0;sub(/.*\n/, "", t);sub(/ .*/, "", t);print $1, $2, $5, substr($6, 4, length($6)-4), substr($11, 4, length($11)-4), t}'
... thet, sub, sub
extracts the error code, the rest is self-explanatory - print the respective fields except for$6
and$11
where it extracts only part of the field and prints the result
– don_crissti
Feb 14 '17 at 19:13
I am not having any other answer except thanking you. If you don't mind let me know how can i master in awk and sed ?
– blaCkninJa
Feb 14 '17 at 19:21
well, read the manuals (both gnu sed and gnu awk manuals can be downloaded as pdf) & practice at the same time; just like with anything else in life, you have to crawl before you walk :) ... so start with simple tasks and work your way up as your skills improve
– don_crissti
Feb 14 '17 at 19:27
Great food for thought :)
– blaCkninJa
Feb 14 '17 at 19:32
yeah, run
awk '{t=$0;sub(/.*\n/, "", t);sub(/ .*/, "", t);print $1, $2, $5, substr($6, 4, length($6)-4), substr($11, 4, length($11)-4), t}'
... the t, sub, sub
extracts the error code, the rest is self-explanatory - print the respective fields except for $6
and $11
where it extracts only part of the field and prints the result– don_crissti
Feb 14 '17 at 19:13
yeah, run
awk '{t=$0;sub(/.*\n/, "", t);sub(/ .*/, "", t);print $1, $2, $5, substr($6, 4, length($6)-4), substr($11, 4, length($11)-4), t}'
... the t, sub, sub
extracts the error code, the rest is self-explanatory - print the respective fields except for $6
and $11
where it extracts only part of the field and prints the result– don_crissti
Feb 14 '17 at 19:13
I am not having any other answer except thanking you. If you don't mind let me know how can i master in awk and sed ?
– blaCkninJa
Feb 14 '17 at 19:21
I am not having any other answer except thanking you. If you don't mind let me know how can i master in awk and sed ?
– blaCkninJa
Feb 14 '17 at 19:21
well, read the manuals (both gnu sed and gnu awk manuals can be downloaded as pdf) & practice at the same time; just like with anything else in life, you have to crawl before you walk :) ... so start with simple tasks and work your way up as your skills improve
– don_crissti
Feb 14 '17 at 19:27
well, read the manuals (both gnu sed and gnu awk manuals can be downloaded as pdf) & practice at the same time; just like with anything else in life, you have to crawl before you walk :) ... so start with simple tasks and work your way up as your skills improve
– don_crissti
Feb 14 '17 at 19:27
Great food for thought :)
– blaCkninJa
Feb 14 '17 at 19:32
Great food for thought :)
– blaCkninJa
Feb 14 '17 at 19:32
add a comment |
1 Answer
1
active
oldest
votes
Other idea instead of extracting fields needed is to remove extra:
sed '
s/[^: ]*s**s//
s/F=<//
s/>.*I=[/ /
s/].*more\n/ /
s/sinf.*//
' log.file
- first command remove
1cd9Ev-003XiE-Sx **
- second —
F=<
- third —
> R=dkim_lookuphost T=dkim_remote_smtp H=ah2.inboundmx.com [216.82.242.115] I=[
and so on…
thanks its working, can you explain a lil bit ?
– blaCkninJa
Feb 15 '17 at 6:27
@rlinux57 I do not understand which further explanation needed but here you are.
– Costas
Feb 15 '17 at 8:44
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f344987%2fextract-information-using-sed-regex%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Other idea instead of extracting fields needed is to remove extra:
sed '
s/[^: ]*s**s//
s/F=<//
s/>.*I=[/ /
s/].*more\n/ /
s/sinf.*//
' log.file
- first command remove
1cd9Ev-003XiE-Sx **
- second —
F=<
- third —
> R=dkim_lookuphost T=dkim_remote_smtp H=ah2.inboundmx.com [216.82.242.115] I=[
and so on…
thanks its working, can you explain a lil bit ?
– blaCkninJa
Feb 15 '17 at 6:27
@rlinux57 I do not understand which further explanation needed but here you are.
– Costas
Feb 15 '17 at 8:44
add a comment |
Other idea instead of extracting fields needed is to remove extra:
sed '
s/[^: ]*s**s//
s/F=<//
s/>.*I=[/ /
s/].*more\n/ /
s/sinf.*//
' log.file
- first command remove
1cd9Ev-003XiE-Sx **
- second —
F=<
- third —
> R=dkim_lookuphost T=dkim_remote_smtp H=ah2.inboundmx.com [216.82.242.115] I=[
and so on…
thanks its working, can you explain a lil bit ?
– blaCkninJa
Feb 15 '17 at 6:27
@rlinux57 I do not understand which further explanation needed but here you are.
– Costas
Feb 15 '17 at 8:44
add a comment |
Other idea instead of extracting fields needed is to remove extra:
sed '
s/[^: ]*s**s//
s/F=<//
s/>.*I=[/ /
s/].*more\n/ /
s/sinf.*//
' log.file
- first command remove
1cd9Ev-003XiE-Sx **
- second —
F=<
- third —
> R=dkim_lookuphost T=dkim_remote_smtp H=ah2.inboundmx.com [216.82.242.115] I=[
and so on…
Other idea instead of extracting fields needed is to remove extra:
sed '
s/[^: ]*s**s//
s/F=<//
s/>.*I=[/ /
s/].*more\n/ /
s/sinf.*//
' log.file
- first command remove
1cd9Ev-003XiE-Sx **
- second —
F=<
- third —
> R=dkim_lookuphost T=dkim_remote_smtp H=ah2.inboundmx.com [216.82.242.115] I=[
and so on…
edited Feb 15 '17 at 8:35
answered Feb 14 '17 at 19:27
CostasCostas
12.6k1129
12.6k1129
thanks its working, can you explain a lil bit ?
– blaCkninJa
Feb 15 '17 at 6:27
@rlinux57 I do not understand which further explanation needed but here you are.
– Costas
Feb 15 '17 at 8:44
add a comment |
thanks its working, can you explain a lil bit ?
– blaCkninJa
Feb 15 '17 at 6:27
@rlinux57 I do not understand which further explanation needed but here you are.
– Costas
Feb 15 '17 at 8:44
thanks its working, can you explain a lil bit ?
– blaCkninJa
Feb 15 '17 at 6:27
thanks its working, can you explain a lil bit ?
– blaCkninJa
Feb 15 '17 at 6:27
@rlinux57 I do not understand which further explanation needed but here you are.
– Costas
Feb 15 '17 at 8:44
@rlinux57 I do not understand which further explanation needed but here you are.
– Costas
Feb 15 '17 at 8:44
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f344987%2fextract-information-using-sed-regex%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
yeah, run
awk '{t=$0;sub(/.*\n/, "", t);sub(/ .*/, "", t);print $1, $2, $5, substr($6, 4, length($6)-4), substr($11, 4, length($11)-4), t}'
... thet, sub, sub
extracts the error code, the rest is self-explanatory - print the respective fields except for$6
and$11
where it extracts only part of the field and prints the result– don_crissti
Feb 14 '17 at 19:13
I am not having any other answer except thanking you. If you don't mind let me know how can i master in awk and sed ?
– blaCkninJa
Feb 14 '17 at 19:21
well, read the manuals (both gnu sed and gnu awk manuals can be downloaded as pdf) & practice at the same time; just like with anything else in life, you have to crawl before you walk :) ... so start with simple tasks and work your way up as your skills improve
– don_crissti
Feb 14 '17 at 19:27
Great food for thought :)
– blaCkninJa
Feb 14 '17 at 19:32