协助awk指挥部
您好,我有一个日志文件,其中“每个”日志行的格式如下:协助awk指挥部,awk,Awk,您好,我有一个日志文件,其中“每个”日志行的格式如下: Jun 26 11:10:27 ip-1-4-5-6 snx: {"@message":"Successful response body: {\"payload\": [{ \"LID\":\"\", \"EID\":\"75~1\", \"SNFlag\":1, \"Error\
Jun 26 11:10:27 ip-1-4-5-6 snx: {"@message":"Successful response body: {\"payload\":
[{
\"LID\":\"\",
\"EID\":\"75~1\",
\"SNFlag\":1,
\"Error\":\"Match found\"
},{\"LID\":\"\",
\"EID\":\"78~10\",
\"SNFlag\":1,
\"Error\":\"Match found\"
},{\"LID\":\"\",
\"EID\":\"385~25\",
\"SNFlag\":1,
\"Error\":\"Match found\"
},{\"LID\":\"3e76j5866\",
\"EID\":\"85~26\",
\"SNFlag\":1},
},{\"LID\":\"\",
\"EID\":\"33~9\",
\"SNFlag\":1,
\"Error\":\"Match found\"
}]} UniqueNonce: 1593169824239","@timestamp":"2020-06-26T11:10:27.837Z","@fields":{"gID":"sand_entry","logID":"x82","component":"ABC","level":"info"}}
谢谢你的帮助 能否请您尝试以下内容,使用GNU
awktac Input_file |
awk -F"\"" '
/\\"Error\\":\\"Match found\\"/{
found=1
}
found && /EID/{
sub(/\\/,"",$(NF-1))
print $(NF-1)
count++
found=""
}
END{
print "Total matches found are:" count
}'
tac Input_file | ##Printing Input_file in reverse order to get line with ERROR before EID line to make it easy.
awk -F"\"" ' ##Sending tac output to awk and setting field separator as " here.
/\\"Error\\":\\"Match found\\"/{ ##Checking condition if line has \"Error\":\"Match found\" in it then do following.
found=1 ##Setting found here which is proof that Error line has found in current line.
}
found && /EID/{ ##Checking condition if found is SET and current line has EID in it then do following.
sub(/\\/,"",$(NF-1)) ##Substituting \ with NULL in 2nd last field.
print $(NF-1) ##Printing 2nd last field here which has actual EID value in it.
count++ ##Increasing count value by 1 here.
found="" ##Nullifying found here.
}
END{ ##Starting END block from here.
print "Total matches found are:" count ##Printing total count of matches here for whole Input_file.
}'
请您尝试以下内容,并使用GNU
awktac Input_file |
awk -F"\"" '
/\\"Error\\":\\"Match found\\"/{
found=1
}
found && /EID/{
sub(/\\/,"",$(NF-1))
print $(NF-1)
count++
found=""
}
END{
print "Total matches found are:" count
}'
tac Input_file | ##Printing Input_file in reverse order to get line with ERROR before EID line to make it easy.
awk -F"\"" ' ##Sending tac output to awk and setting field separator as " here.
/\\"Error\\":\\"Match found\\"/{ ##Checking condition if line has \"Error\":\"Match found\" in it then do following.
found=1 ##Setting found here which is proof that Error line has found in current line.
}
found && /EID/{ ##Checking condition if found is SET and current line has EID in it then do following.
sub(/\\/,"",$(NF-1)) ##Substituting \ with NULL in 2nd last field.
print $(NF-1) ##Printing 2nd last field here which has actual EID value in it.
count++ ##Increasing count value by 1 here.
found="" ##Nullifying found here.
}
END{ ##Starting END block from here.
print "Total matches found are:" count ##Printing total count of matches here for whole Input_file.
}'
eid75~1
78~10
385~25
85~26
33~9
中出现错误时打印eid
,所以更改此选项(并添加计数
):
输出:
75~1
78~10
385~25
33~9
Count:4
将打印所有eid
值,如下所示:
75~1
78~10
385~25
85~26
33~9
因为您只想在中出现错误时打印eid
,所以更改此选项(并添加计数
):
输出:
75~1
78~10
385~25
33~9
Count:4
很好,你提到你已经尝试了很多方法来解决你的问题。建议您也在问题中加入这些努力,所以请这样做(这里没有错误或正确之处,因为我们都在这里学习)干杯。当您的真实数据中有多个记录时,您应该在问题的示例输入中至少包含2条记录。还要确保在你的问题中包含预期的结果。否则,我们会进行大量猜测(例如,我可以想象语句中可能有几件事it
…它的计数…
-错误计数?有错误的唯一EID的计数?每个EID的错误计数?等等)。您确定这正是日志文件记录的格式吗?您终止的}
与任何打开的{
不匹配。{@message
开头的{
与}开头的}
匹配一次
并且{gID
开头的{code>与“info”中的第一个}
匹配
让第二个/最后一个}
自己挂起,不启动{
。你能告诉我我的答案是否对你有帮助吗?很好,你提到你已经尝试了很多方法来解决你的问题。建议你也在你的问题中加入这些努力。所以,请这样做(这里没有任何错误或正确的地方,因为我们都在这里学习)干杯。当您的真实数据中有多条记录时,您应该在问题的示例输入中至少包含2条记录。还要确保在您的问题中包含预期的输出。否则,我们将进行大量猜测(例如,我可以想象,it
可能在语句…它的计数…
-错误计数?有错误的唯一EID的计数?每个EID的错误计数?等等)您确定这正是日志文件记录的格式吗?您的)
与任何打开的{
不匹配。{@message
开头的{
与}开头的}
匹配一次
,{gID
开头的{/code>与“info}中的第一个}
匹配
让第二个/最后一个}
自己挂起,不启动{
。你能告诉我我的答案是否对你有帮助吗?