ntang (ntang) wrote,
ntang
ntang

blarg

Just wrote a regex to parse syslog entries... from multiple hardware/os/software vendors.
while (<IN>) {
  chomp;
  s/Forwarded from [\w\.\-]+\:\s+//g;
  if ( /(\w+\s\d+\s\d{2}\:\d{2}\:\d{2})\s(netapp[\w\-]+)[\w\-\.]*\s\w+\s\w+\s\d+\s\d{2}\:\d{2}\:\d{2}\s\w+\s\[([^:]+)\]\:\s+(.+)\s*$/ ) {
    ($date,$host,$service,$message) = ($1,$2,$3,$4);
  }
  elsif ( /(\w+\s\d+\s\d{2}\:\d{2}\:\d{2})\s([\w\-]+)[\w\-\.]*\s([^:]+)\:\s+(.+)\s*$/ ) {
    ($date,$host,$service,$message) = ($1,$2,$3,$4);
    if ( $service =~ /([^\[]+)\[\d+\]/ ) { $service = $1; }
  }
  else { print "Non-matching line: [$_] \n"; next;  }
  print "DATE [$date] HOST [$host] SERVICE [$service] MESSAGE [$message]\n";
}
First it strips out the annoying fbsd "Forwarded from..." line. Then it checks to see if it's a netapp, which has a stupid double-timestamp format, then it parses everything else, and if the service name has a [pid] it strips that out too.
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments