<br><br><div class="gmail_quote">On Tue, Dec 16, 2008 at 10:37 AM, <a href="mailto:maddaemon@gmail.com">maddaemon@gmail.com</a> <span dir="ltr"><<a href="mailto:maddaemon@gmail.com">maddaemon@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div></div><div class="Wj3C7c">On Mon, Dec 15, 2008 at 8:46 PM, Jan Schaumann <<a href="mailto:jschauma@netmeister.org">jschauma@netmeister.org</a>> wrote:<br>
> "<a href="mailto:maddaemon@gmail.com">maddaemon@gmail.com</a>" <<a href="mailto:maddaemon@gmail.com">maddaemon@gmail.com</a>> wrote:<br>
><br>
>> Dec 15 05:15:56 - abc1234 tried logging in from 192.168.8.17<br>
>> Dec 15 05:15:56 - abc1234 tried logging in from 192.168.18.13<br>
><br>
> Split into timestamp, line and IP. Use a hash:<br>
><br>
> if $line matched "abc1234 tried logging in from"<br>
> if ! $line_by_ts{$timestamp}<br>
> $line_by_ts{$timestamp} = $ip<br>
> else<br>
> if $ip != $line_by_ts{$timestamp}<br>
> # dupe with different ip<br>
> else<br>
> # dupe with same ip<br>
> endif<br>
> endif<br>
> endif<br>
><br>
> awk or perl should do.<br>
><br>
> -Jan<br>
<br>
</div></div>That looks like it might work, except for the fact that there are a<br>
possible 300+ user IDs that might be in the list. Is there a way in<br>
this line:<br>
<div class="Ih2E3d"><br>
if $line matched "abc1234 tried logging in from"<br>
<br>
</div>to use a variable instead of "abc1234"?<br>
<div><div></div><div class="Wj3C7c">_______________________________________________<br>
talk mailing list<br>
<a href="mailto:talk@lists.nycbug.org">talk@lists.nycbug.org</a><br>
<a href="http://lists.nycbug.org/mailman/listinfo/talk" target="_blank">http://lists.nycbug.org/mailman/listinfo/talk</a></div></div></blockquote></div><br><br>No, perl and awk only have limited text processing functions, it has to be an official timestamp.<br>
<br>-jesse<br>