Question

我的脚本的这一部分的目的是从以前在此脚本中收集的日志文件中提取某些片段。但是，对于条件，每个行的％parse％中添加了一个条目。

我想要的是如果在findstr部分找到了某些内容，然后将所需格式的数据输入到％parse％文件中。

当前输出是（它在这里不是很漂亮，比我的日志文件中那么漂亮）

Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - -------------- Start c:\programdata\dctool\Data\<Removed_HostName>\MA\McScript.log -------------
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> -
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - Start Virus Search 
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - End Virus Search 
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - Start Blocked Search 
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - End Blocked Search 
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - Start Detected Search 
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - End Detected Search 
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - Start Deleted Search 
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - End Deleted Search 
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - Start File-cksum-mismatch Search 
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - End File-cksum-mismatch Search 
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - Start encrypted Search 
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - End encrypted Search 
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - Start Failed Search 
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - End Failed Search 
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> -
Tue 04/03/2018 - 13:51:23.19 - <Removed_UN> - <Removed_HostName> - -------------- End c:\programdata\dctool\Data\<Removed_HostName>\MA\McScript.log ------------

-

我喜欢这段代码的第一行和最后一行。这让我知道该文件已被解析。但是，我不想要那里的所有中间垃圾，除非找到了什么。例如，＆＃34;开始加密搜索＆＃34;和＃34;结束加密搜索＆＃34;如果它找到了什么，它只会出现。

::::::::::::::::::
:: Analyze Data ::
::::::::::::::::::
:analyze
echo %date% - %time% - %un% - %host% --- Log Parser --- >>%logfile%
echo --- Log Parser ---
echo.
for /f "tokens=*" %%a in (%filelocation%) do (
    echo %date% - %time% - %un% - %host% - -------------- Start %%a ------------->>%parse%
    echo %date% - %time% - %un% - %host% ->>%parse%
    echo %date% - %time% - %un% - %host% - Start Virus Search >>%parse%
    echo Start Virus Search
    for /f "tokens=*" %%b in ('findstr /r /n "virus" %%a') do (
        echo %date% - %time% - %un% - %host% - %%b>>%parse%
    )
    echo %date% - %time% - %un% - %host% - End Virus Search >>%parse%
    echo End Virus Search
    echo %date% - %time% - %un% - %host% - Start Blocked Search >>%parse%
    echo Start Blocked Search
    for /f "tokens=*" %%b in ('findstr /r /n "Blocked" %%a') do (
        echo %date% - %time% - %un% - %host% - %%b>>%parse%
    )
    echo %date% - %time% - %un% - %host% - End Blocked Search >>%parse%
    echo End Blocked Search
    echo %date% - %time% - %un% - %host% - Start Detected Search >>%parse%
    echo Start Detected Search
    for /f "tokens=*" %%b in ('findstr /r /n "detected" %%a') do (
        echo %date% - %time% - %un% - %host% - %%b>>%parse%
    )
    echo %date% - %time% - %un% - %host% - End Detected Search >>%parse%
    echo End Detected Search
    echo %date% - %time% - %un% - %host% - Start Deleted Search >>%parse%
    echo Start Deleted Search
    for /f "tokens=*" %%b in ('findstr /r /n "deleted" %%a') do (
        echo %date% - %time% - %un% - %host% - %%b>>%parse%
    )
    echo %date% - %time% - %un% - %host% - End Deleted Search >>%parse%
    echo End Deleted Search
    echo %date% - %time% - %un% - %host% - Start File-cksum-mismatch Search >>%parse%
    echo Start File-cksum-mismatch Search
    for /f "tokens=*" %%b in ('findstr /r /n "File-cksum-mismatch" %%a') do (
        echo %date% - %time% - %un% - %host% - %%b>>%parse%
    )
    echo %date% - %time% - %un% - %host% - End File-cksum-mismatch Search >>%parse%
    echo %date% - %time% - %un% - %host% - Start encrypted Search >>%parse%
    echo Start encrypted Search
    for /f "tokens=*" %%b in ('findstr /r /n "encrypted" %%a') do (
        echo %date% - %time% - %un% - %host% - %%b>>%parse%
    )
    echo %date% - %time% - %un% - %host% - End encrypted Search >>%parse%
    echo End Failed Search
    echo %date% - %time% - %un% - %host% - Start Failed Search >>%parse%
    echo Start Failed Search
    for /f "tokens=*" %%b in ('findstr /r /n "Failed" %%a') do (
        echo %date% - %time% - %un% - %host% - %%b>>%parse%
    )
    echo %date% - %time% - %un% - %host% - End Failed Search >>%parse%
    echo End Failed Search
    echo %date% - %time% - %un% - %host% - Start inv_partial_sync Search >>%parse%
    echo Start inv_partial_sync Search
    for /f "tokens=*" %%b in ('findstr /r /n "inv_partial_sync" %%a') do (
        echo %date% - %time% - %un% - %host% - %%b>>%parse%
    )
    echo %date% - %time% - %un% - %host% - End inv_partial_sync Search >>%parse%
    echo End inv_partial_sync Search
    echo %date% - %time% - %un% - %host% ->>%parse%
    echo %date% - %time% - %un% - %host% - -------------- End %%a ------------->>%parse%
)
echo %date% - %time% - %un% - %host% - Parser log Location: %parse%>>%logfile%
echo %date% - %time% - %un% - %host% - Done Parsing>>%logfile%
echo Done Parsing
echo.
exit /b

Answer 1

如果我理解正确，这种逻辑应该有效。您基本上可以使用变量作为标志来确定是否输出任何信息。

    echo Start encrypted Search
    for /f "tokens=*" %%b in ('findstr /r /n "encrypted" %%a') do (
        IF NOT DEFINED encryptflag (
            echo %date% - %time% - %un% - %host% - Start encrypted Search >>%parse%
            set "encryptflag=0"
        )
        echo %date% - %time% - %un% - %host% - %%b>>%parse%
    )
    IF DEFINED encryptflag echo %date% - %time% - %un% - %host% - End encrypted Search >>%parse%

Answer 2

Squashman以我处理它的方式回答了你的直接问题。

但是你有另一个问题。

在FOR / F循环中使用%date%和%time%毫无意义，因为它将是一个常量值。解析循环时会发生百分比扩展，并且在循环执行之前只会解析一次。

可能的解决方案：

使用call echo %%date%% - %%time%% ...，但这相对较慢。它还会将任何引用的^字符加倍。
或启用延迟展开并使用echo !date! - !time!，但这会导致展开!时可能在您的内容中的%%b文字出现问题。这可以通过在循环内切换延迟扩展来解决。
调用a：timestamp子例程，它打印时间戳和您提供的任何消息作为参数。除文件外，还可以使用附加参数将打印标记到屏幕。这并不像延迟扩展那么快，但它避免了切换问题，并且它比CALL ECHO更快。百分比扩展在这里工作，因为它超出了带括号的块的范围，因此每次调用都会对其进行解析。

此外，重复附加到重定向的同一文件会浪费时间，因为必须每次打开文件并将文件指针移动到文件末尾。只重定向一次要快得多。

您有许多重复的代码可以封装在：搜索例程中，从而大大简化您的代码。

>>"%parse%" (
  for /f "delims=" %%a in (%filelocation%) do (
    call :timestamp "-------------- Start %%a -------------"
    call :timestamp ""
    for %%s in (
      virus
      Blocked
      detected
      File-cksum-mismatch
      encrypted
      Failed
      inv_partial_sync
    ) do call :search "%%a" %%s
    call :timestamp ""
    call :timestamp "-------------- End %%a -------------"
  )
)
.... other stuff
exit /b

:search  File  String
  setlocal
  set "found="
  for /f "tokens=*" %%b in ('findstr /r /n %2 %1') do (
    if not defined found (
      call :timestamp "Start %~2 Search" CON
      set found=1
    )
    call :timestamp "%%b"
  )
  if defined found call :timestamp "End %~2 Search" CON
exit /b

:timestamp "message" conFlag
  echo %date% - %time% - %un% - %host% - %~1
  if "%~2" neq "" >con echo %date% - %time% - %un% - %host% - %~1
exit /b

Answer 3

用以下内容替换每个块：

for %%a in (a.txt) do (
    ...
    echo Start Blocked Search
    findstr "Blocked" %%a >nul && (
      echo %date% - %time% - %un% - %host% - Start Blocked Search >>%parse%
      for /f "tokens=*" %%b in ('findstr /r /n "Blocked" %%a') do (
        echo %date% - %time% - %un% - %host% - %%b >>%parse%
      )
      echo %date% - %time% - %un% - %host% - End Blocked Search >>%parse%
    )
    echo End Blocked Search
    ...
)

findstr "Blocked" %%a >nul && ( ...非常准确，您在问题中写道：IF something is found in the findstr section, then ...

更好的解析文件和日志输出的方法

3 个答案: