I have a file where I dump my Firewall logs. Now I want to eliminate everything except the IP addresses from this file so that I can pipe them through uniq -c to allow for a quick overview. Cut doesnt work for this purpose due to varying entry lengths. So it seems like a grep problem, but I can't figure out the right syntax. The entries that I want to filter for look like this: SRC=Some-ipv6-address
The try that looked the best was
grep -w '^SRC'=[1-9:]*
But that only produced empty results.
A sample input:
[UFW BLOCK] IN=wp01 OUT= MAC=25:c5:a3:21:c1:7b:32:21:a9:3f:de:5e:21:aa
SRC=2b32:14f9:c210:27486:0100:0000:0000:0001
DST=1833:00b5:6f4b:7836:0f08:8ae5:87b3:4d04 LEN=60
TC=0 HOPLIMIT=52 FLOWLBL=10001 PROTO=TCP
SPT=80 DPT=56020 WINDOW=0 RES=0x00 RST URGP=0
And the desired output:
2b32:14f9:c210:27486:0100:0000:0000:0001
But you probably would have to include SRC= to distinguish between destination and source and then cut the SRC part of with cut.
Anybody knows the right syntax for this?
CodePudding user response:
One option is to use sed with a capture group, and use that group in the replacement.
sed -nE 's/^SRC=([a-fA-F0-9:] )/\1/p' file
Output
2b32:14f9:c210:27486:0100:0000:0000:0001
The pattern matches
^Start of stringSRC=Match literally([a-fA-F0-9:] )capture group 1 match 1 times any of the chars in the character class
In the sed command:
-ndoes not print every line by default/pprints the replaced text\1refers to the captured value in group 1
CodePudding user response:
Using any sed or awk in any shell on every Unix box:
$ sed -n 's/^SRC=//p' file
2b32:14f9:c210:27486:0100:0000:0000:0001
$ awk 'sub(/^SRC=/,"")' file
2b32:14f9:c210:27486:0100:0000:0000:0001