[SOLVED] Search a variable and a string in a file using AWK
ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I need to find every line that has the previous hour and the word POST and print out the first column. In this example, I would need 5.5.5.5 printed out 3 times
while IFS="[]" read -a foo
do
printf "test this \"%s\" " "${foo[1]}"
printf "and print this \"%s\" if matched\n" "${foo[0]%% *}"
done < <(grep POST filename.txt )
your test is a moving target, so I've not attempted to do the test
I'm still guessing about the content and format of the InFile.
Anyway, you could read the InFile twice instead of building a copy
in an array. Something like this ...
I'm still guessing about the content and format of the InFile.
Anyway, you could read the InFile twice instead of building a copy
in an array. Something like this ...
Thanks all for the input, sorry I didn't post up sooner, I was trying to get this done and wasn't expecting such quick replies.
My input file is the standard apache access logs. I am looking for a pattern of a POST to a certain URL and the format will always be the same.
What I want is if a specific URL is POSTed to more than 10 times in an hour from the same IP address, I want to be notified via email of the number of times and the IP addresses associated with each POST. I used turbo's statement and came up with:
Code:
#!/bin/bash
file=carding_attack_ips.txt
#
echo -e "Possible carding attack on Propper's prod site.\n\nThere have been more than 10 POSTs to paypal during the last hour.\n\nBelow are the number of times POSTed and the IPs that need to be investigated.\n\n" > $file
#Looking for all the POSTs to paypal for the last hour
awk '$5 ~ /'$(date +%d.%b.%Y.%H -d "- 1 hour")'/ && $7 ~ /POST \/paypal\/transparent\/requestSecureToken\// {print $1}' /var/www/propper-prod/logs/access.log | sort | uniq -c | sort -r -k 1 -n >> $file
#awk -v timestamp=$(date -d '1 hour ago' '+%d/%b/%Y:%H:') '/POST \/paypal\/transparent\/requestSecureToken\// && $0~timestamp { print $1 }' /var/www/propper-prod/logs/access.log | sort | uniq -c | sort -r -k 1 -n >> $file
#If any posts are greater than 10 send an email starting to read the file at line 7 to avoid the email body
if [[ `awk -vNUM=7 '(NR>=NUM) {print $1}' $file` > 2 ]]
then
cat $file | mutt -s "Possible Carding Attack on Propper" -- tom.moretto@atlanticbt.com
fi
I have the script running as a cronjob at the top of every hour.
log format is flawed, you need to go through many steps to get it into a form that is flexible
there was no mention of cron in your OP, with that context I now understand the date to be a filter and not a test condition
anyway, solution in my previous post
very simple once I understood what you actually wanted
ahh, gotcha. i didn't know a cron would have made a difference with what i was looking for. sorry for not mentioning it sooner (i guess every detail is important).
with your awk statement, you substitute the forward slash with periods... is that for regex purposes to capture any character?
ahh, gotcha. i didn't know a cron would have made a difference with what i was looking for. sorry for not mentioning it sooner (i guess every detail is important).
with your awk statement, you substitute the forward slash with periods... is that for regex purposes to capture any character?
yeap ~ /18/Oct/2019:15/ proved problematic
18.Oct.2019:15
is a much safer filter
I could have grabbed to date to a var and escaped it, but . was quicker
yeah the cron mattered,. since that helped my understand the "previous hour"
and real time format has a standard,
Code:
date --iso-8601=ns
Code:
SecondsSince=$(date +%s.%N -d "$(date --iso-8601=ns)")
echo ${SecondsSince}
date -d "@${SecondsSince}"
when you get things back to seconds.nanoseconds you can do so maths and get back to a date/time
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.