Re: Help with my thought process...parsing a log

From: security.department@xxxxxxxx (John Doe)
Date: Wed, 11 Jan 2006 20:40:35 +0100

Robert Hicks am Mittwoch, 11. Januar 2006 17.00:
> "John Doe" <security.department@xxxxxxxx> wrote in message
> news:200601102333.49358.security.department@xxxxxxxxxxx
>
> > Robert Hicks am Dienstag, 10. Januar 2006 18.16:
> > > I have an application log that shows the "time", "id" and "type" for a
>
> user
>
> > > logging in. A short except looks like this:
> > >
> > > 19/12/2005 07:28:37 User (guest) logging in from (LIMS-CIT) - Assigned
> > > Userno (7045)
> > > 19/12/2005 07:32:06 User (guest) logging in from (LIMS-CIT) - Assigned
> > > Userno (1959)
> > > 19/12/2005 07:51:38 User (guest) logging in from (LIMS-CIT) - Assigned
> > > Userno (7601)
> > > 19/12/2005 07:54:10 User (guest) logging off - Userno (7601)

The structure of the logoff line differs from the login line.

> > Are you interested in one specific Userno only, or do you want the login
> > times for all Usernos?
> >
> > What do you mean by "could log in and log out multiple times"? In
> > parallel, or sequential? If parallel: Are different Usernos assigned
> > for the same user logged in multiple times?
>
> I am not really interested in the "user" per se just the "Userno" but that
> can appear several times in the log
> for both logins and logouts.
>
> So I need to first find the login line and Userno and then find the first
> logout line with the Userno and then
> do a time diff.

[...]

> I have only created a regex so far to split the information out and doing
> some counts. Code is below:
>
> use strict;
> use warnings;
> use English;
> use Carp;
>
> my $filename = 'test.log';
> open my $LOG, '<', $filename or croak "Can't open '$filename': $OS_ERROR";
>
> # Test line from logfile
> #$_ = "19/12/2005 08:53:31 ECP3.2.01.1008I : User (guest) logging in from
> (LIMS-CIT) - Assigned Userno (A50C)";
>
> # This parses a login entry
> while (<$LOG>) {
>
> my ( $date, $time, $ecp, $login_message, $login_type, $login_loc,
> $userno,
> $userid )
> = / # regex begins
> ^ # string anchor
> (\d{2}.\d{2}.\d{4}) # $date
> \ # literal space
> (\d+:\d+:\d+) # $time
> \ # literal space
> (ECP\d.\d.\d{2}.\w{5}) # $ecp
> \ # literal space
>
> : # literal :
>
> \ # literal space
> (User\s$[\S.]+$) # $login_message
> \ # literal space
> (logging\sin) # $login_type
> \ # literal space
> (from\s$[\S.]+$) # $login_loc
> \ # literal space
> - # literal -
> \ # literal space
> (Assigned\sUserno) # $userno
> \ # literal space
> $ # literal (
> (\w{4}) # $userid
> $ # literal )
> /xms; # regex ends
>
> print join "\n", $date, $time, $ecp, $login_message, $login_type,
> $login_loc, $userno, $userid, "\n";
> last; # I only want one line returned from the log for testing
> }
>
> This prints out:
>
> 19/12/2005
> 07:28:37
> ECP3.2.01.1008I
> User (guest)
> logging in
> from (LIMS-CIT)
> Assigned Userno
> 7045

Ok, one way is to extract the information by regexes (for two different line
structures). Another one I choose below is split. I omit the strings that are
always the same, like "loggin in", and some others for brevity.

It's just a skeleton you could start with:

==== begin script ========

#!/usr/bin/perl

use strict;
use warnings;

sub diff {'exercise for the reader: '.join ', ', @_};

# key: userno
# value arrayref with five entries:
# login date and time, logoff date and time, calculated time diff
#
my %table;

while (<DATA>) {
my @fields=split /\s+/, $_;
my ($date, $time, $inout, $userno)=(@fields[0,1,5], 0);

if ($inout eq 'in') {
($userno)=$fields[11]=~/$(.+)$/;
if (exists $table{$userno}) { warn "$userno already logged in";}
else { $table{$userno}=[$date, $time]; }
}
else {
($userno)=$fields[8]=~/$(.+)$/;
unless (exists $table{$userno}) { warn "$userno not logged in";}
else {
my $time_diff=diff(@{$table{$userno}}, $date, $time);
print "$userno: $time_diff\n";
delete $table{$userno};
}
}
}

__DATA__
19/12/2005 07:51:38 User (guest) logging in from (LIMS-CIT) - As User (7601)
19/12/2005 07:52:38 User (guest) logging in from (LIMS-CIT) - As User (7603)
19/12/2005 07:54:10 User (guest) logging off - Userno (7601)
19/12/2005 07:56:38 User (guest) logging in from (LIMS-CIT) - As User (7602)
19/12/2005 07:57:10 User (guest) logging off - Userno (7602)
19/12/2005 07:57:11 User (guest) logging off - Userno (7603)

==== end script ========
.

Follow-Ups:
- Re: Help with my thought process...parsing a log
  - From: Dr.Ruud

References:
- Help with my thought process...parsing a log
  - From: Robert Hicks
- Re: Help with my thought process...parsing a log
  - From: John Doe
- Re: Help with my thought process...parsing a log
  - From: Robert Hicks

Prev by Date: Re: Basic Math Problem
Next by Date: Net::Telnet - $telnet->cmd('show running-config ')
Previous by thread: Re: Help with my thought process...parsing a log
Next by thread: Re: Help with my thought process...parsing a log
Index(es):
- Date
- Thread

Relevant Pages

Re: Help with my thought process...parsing a log
... >> logging in. ... >> Userno ... So I need to first find the login line and Userno and then find the first ... > A hash could be useful to lookup ...
(perl.beginners)
Re: Help with my thought process...parsing a log
... >> logging in. ... >> Userno ... So I need to first find the login line and Userno and then find the first ... > A hash could be useful to lookup ...
(perl.beginners)
Re: Slow Logoff
... I learned from an earlier post that Terminal Servers do not complete their ... login until after one minute. ... If you logoff right after logging on, ... If you wait one minute before logging off, ...
(microsoft.public.windows.terminal_services)