我正在尝试处理CSV文件以查找诸如'duser =','dhost ='和'dproc ='之类的模式,并一旦找到将在其后打印下一个字符串。由于CSV文件的内容不是恒定的,因此我必须首先使用模式匹配。字段分隔符也不是恒定的。请考虑到CSV文件包含CEF格式的日志,并且包含更多其他模式和值。日志格式样本:
CEF:0|Microsoft|Microsoft Windows|Windows 7|Microsoft-Windows-Security-Auditing:4688|A new process has been created.|Low| eventId=1010044130 externalId=4688 msg=Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.Type 1 is a full token with no privileges removed or groups disabled. Type 2 is an elevated token with no privileges removed or groups disabled.Type 3 is a limited token with administrative privileges removed and administrative groups disabled. type=1 start=1523950846517 categorySignificance=/Informational categoryBehavior=/Execute/Start categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/Success categoryObject=/Host/Resource/Process art=1523950885975 cat=Security deviceSeverity=Audit_success rt=1523950863727 dhost=A-Win7Test.*****.net dst=**.**.**.46 destinationZoneURI=/All Zones/ArcSight System/Public Address Space Zones/******* dntdom=****** oldFileHash=en_US|UTF-8 cnt=5 cs2=Process Creation cs6=TokenElevationTypeDefault (1) cs1Label=Mandatory Label cs2Label=EventlogCategory cs3Label=New Process ID cs4Label=Process Command Line cs5Label=Creator Process ID cs6Label=Token Elevation Type ahost=a-server09.****.net agt=**.**.**.9 agentZoneURI=/All Zones/ArcSight System/Public Address Space Zones/******** amac=00-50-56-B8-4F-BB av=7.7.0.8044.0 atz=GMT at=winc dvchost=A-Win7Test.*****.net dvc=**.**.**.46 deviceZoneURI=/All Zones/ArcSight System/Public Address Space Zones/********** deviceNtDomain=***** dtz=GMT _cefVer=0.1 aid=3AaTkhlEBABCABcfWDDqDbw\=\=
似乎以下命令有效:
... | awk 'sub(/.*duser=/,""){print "User:",$1}
但是,它仅适用于第一个模式。您可以猜测执行后,没有更多的行要处理。是否可以选择以不同的模式执行上述命令3次以获取3列的列表?
我想实现:
duser=AAA dhost=BBB dproc=CCC
duser=DDD dhost=EEE dproc=FFF
duser=GGG dhost=HHH dproc=III
感谢您的帮助,谢谢
答案 0 :(得分:0)
喜欢吗?
$ cat file
duser=AAA dhost=BBB dproc=CCC
duser=DDD dhost=EEE dproc=FFF
duser=GGG dhost=HHH dproc=III
$ awk '{print gensub("duser=([^ \t,]+)[ \t,]+dhost=([^ \t,]+)[ \t,]+dproc=([^ \t,]+)", "User: \\1, Host: \\2, Proc: \\3
", 1);}' file
User: AAA, Host: BBB, Proc: CCC
User: DDD, Host: EEE, Proc: FFF
User: GGG, Host: HHH, Proc: III
如果三个部分的位置不同且顺序不同,请尝试以下操作:
awk '{match($0,"duser=([^ \t,]+)",user); match($0,"dhost=([^ \t,]+)",host); match($0,"dproc=([^ \t,]+)",proc); print "User: " user[1] ", Host: " host[1] ", Proc: " proc[1];}' file
在问另一个问题之前,请先阅读mcve。
答案 1 :(得分:0)
您可以尝试Perl。
$ cat lack_of_threat.txt
duser=AAA dhost=BBB dproc=CCC
duser=DDD dhost=EEE dproc=FFF
duser=GGG dhost=HHH dproc=III
$ perl -ne ' /duser=(\S+)\s*dhost=(\S+)\s*dproc=(\S+)/; print "User:$1, Host:$2, Proc:$3\n" ' lack_of_threat.txt
User:AAA, Host:BBB, Proc:CCC
User:DDD, Host:EEE, Proc:FFF
User:GGG, Host:HHH, Proc:III
$