We have a script that runs several commands and rolls up all the output and inserts in into a log file. One of the commands it runs is "netstat -anp". I'd like to be able to search this file for all runs of the command and filter for certain IP's. Is this possible with sed or awk if so what would the command look like?
Add a comment |
2 Answers
For filtering data from file is better to use grep. For example:
grep <search string> <filename> With awk you can use something like:
awk '/string/ {command}' <filename> To get IPs counted you can use
uniq -c <filename> This will provide you uniq IPs with count
- Not sure if grep is going to do what I need. And I cant get the awk example to output anything. But let me clarify what I am trying to accomplish. I am wanting to search for all runs of the netstat -anp command and filter for a certain IP address, then have it list a total number of times it was seen. Right now I'm just interested in established connections.CommentedMay 5, 2015 at 4:07
- 1I think I got it - "grep 'netstat -anp' | awk '/IP_Adrress/' logfile | wc -l" does the job. Thanks for the help!CommentedMay 5, 2015 at 4:11
- That being said, in the script the command is run every ten minutes. It would be nice to know how to list the total times the IP address was seen at each interval, in order to find patterns or upticks as time goes on. Anyone know of a way to do this?CommentedMay 5, 2015 at 4:18
I take it that "rolls up" means that all newlines are removed and the output of each command is thus "rolled up" to a single line. If so, your grep ... | awk ... will work, but you don't need both commands ("never use two when one will suffice" is generally a good idea). In addition, your command line has a couple issues (like no input for grep but a filename given to awk, means the grep is non-functional, and no reason for using wc when grep has a -c option).
ipaddr=192.168.0.1 grep -c "netstat -anp.*$ipaddr" logfile Edit: Your latest comment says you want to count how many times the IP address appears within a given interval. Since the netstat command is run multiple times within the interval and since they're all on one line, a simple uniq -c won't suffice. In fact, without resorting to perl, this is the first thing I came up with:
ipaddr=192.168.0.1 grep "netstat -anp.*$ipaddr" logfile | tr -cs '0-9.' '\012' | grep -c "$ipaddr" I'm assuming a POSIX or BSD-style tr command. In addition, the second grep is necessary because there could be many other IP addresses other than the one you're looking for (that would be typical for netstat output).
