That request is unclear to me. Please provide a sample file including those three connections that you want to be put out, plus some lines in between that don't match your criteria. Explain the logics with those samples.
We're looking for users who are making more than 3 heavy searches, within the log it will appear as "SRCH=Q".
As listed below in the log, what we would like to do is whenever we find 'SRCH=Q' within the log, we will use the connection number( 13570) and trace it back to the BIND to find out who it is, and then update the user value with number of occurrence, if the occurrence is > 3, perform some action ( like add it to restricted group - we will user some internal command for adding to the group).
Note: Within the logs BIND user come before the SRCH=Q, hence we need to perform a reverse query to get the BIND user.
This thread's post count has reached double-digits and you've yet to provide reasonable sample data. How do you expect someone who is volunteering their time to test their code when the only thing you've provided is two lines? Why make it more difficult than it needs to be for those willing to freely share with you their time and expertise?
Provide a larger data sample that contains log entries which match your criteria, along with the desired output that corresponds to the data sample.
Here is the larger set of data, as mentioned previously we need to identify the occurrence and then perform an internal action, I need the code to identity the occurence :
John,
You keep saying basically the same thing without answering the questions needed to figure out what you're trying to do. Let me give you a simple list of questions. Answer them and we may be able to help, or we may have more questions:
What exactly is the output you want (using CODE tags) when your input contains 3 searches that occur in an hour and show us sample data that we can use as a test that actually contains data that would cause a report to be generated?
What determines the 1 hour time range:
3 BIND entries with timestamps <= 1 hour apart where the corresponding RESULT entries include SRCH=Q?
3 RESULT entries with SRCH=Q with timestamps <= 1 hour?
3 RESULT entries with SRCH=Q where the sum of the differences between the corresponding BIND and RESULT timestamps is >= 1 hour?
something else?
Note that none of the 1st three elements in the above list will trigger a report with any of the sample data you have given us! (However, C would be met if you wanted to report a user using more than one hour of search time in three or fewer searches if we used the data provided in your initial post in this thread.)
Are all timestamps in non-decreasing order?
Are all timestamps in increasing order?
Are all timestamps in the same timezone?
Do we have to worry about shifts to and from daylight savings time?
Are all timestamps in an input file from the same day? If not, will there ever be:"
days that have no RESULT entries with SRCH=Q?
days that have no entries at all?
a time difference between a BIND time and a RESULT time of more than 23:59:59?
If a user has more than one 1 hour time period with 3 SRCH=Q RESULT entries:
Should there only be 1 occurrence reported for the user?
Should there be 1 occurrence reported for every set of 3 SRCH=Q RESULT entries that occur within an hour even if some of the SRCH=Q RESULT entries were used in an earlier report?
Should there be 1 occurrence reported for every set of 3 SRCH=Q RESULT entries that occur within an hour but only if none of the SRCH=Q RESULT entries were used in an earlier report?
Will every RESULT entry have a corresponding BIND entry?:
Could the corresponding BIND appear in a different log file? If the corresponding BIND is not found, should some kind of diagnostic be printed? (If so, exactly what should the diagnostic be?)
Can there be more than one search in progress for a given user at any time? (I.e., can there be two or more BIND entries before the RESULT entry shows up corresponding to the first BIND entry?
Will conn=xxx always be in the 3rd field in every line?
Will "BIND" and "RESULT" always appear in the 7th field in every input line? If so, will the 7th field on any line ever contain anything other than "BIND" or "RESULT"?
On RESULT lines that contain "SRCH=Q", will that string always be the last field on the line?
I assume that you already know the answers to all of the above questions and just haven't shared them with us. If you can't answer some of these questions, please quickly let us know that so we can forget about this topic and concentrate on issues for other forum members. (Then when you can answer them, start a new thread with all of the details we need to be able to help you. And, if you need to start a new thread, show us what you have tried while working on solutions to this problem.)
Last edited by Don Cragun; 06-09-2013 at 06:57 PM..
Reason: fix typo
Thanks for putting all your questions, really appreciate your effort. Here is my response to your questions :
What exactly is the output you want (using CODE tags) when your input contains 3 searches that occur in an hour and show us sample data that we can use as a test that actually contains data that would cause a report to be generated?
# re : As mentioned initially, the output will lead to execution of an internal command ( add group) - no output as such, however we can print the addition within the log. Basically, the intent is to add heavy search users within a restricted group. We need to pull out those users who perform more than 3 searches.
What determines the 1 hour time range:
3 BIND entries with timestamps <= 1 hour apart where the corresponding RESULT entries include SRCH=Q?
3 RESULT entries with SRCH=Q with timestamps <= 1 hour?
3 RESULT entries with SRCH=Q where the sum of the differences between the corresponding BIND and RESULT timestamps is >= 1 hour?
something else?
# re : 1 hour scan is to limit less log scanning, that's all. You can drop the hour part as of now, I am really interested in getting the logic first for the main issue.
Note that none of the 1st three elements in the above list will trigger a report with any of the sample data you have given us! (However, C would be met if you wanted to report a user using more than one hour of search time in three or fewer searches if we used the data provided in your initial post in this thread.)
Are all timestamps in non-decreasing order?
Are all timestamps in increasing order?
Are all timestamps in the same timezone?
# re : Don't bother about timestamp etc. The data which I provided is enough to create the condition. An output for less than too search will not trigger the execution of add group command. All timestamp will be in increasing order, and will be in same timezone.
Do we have to worry about shifts to and from daylight savings time?
Are all timestamps in an input file from the same day? If not, will there ever be:"
days that have no RESULT entries with SRCH=Q?
days that have no entries at all?
a time difference between a BIND time and a RESULT time of more than 23:59:59?
If a user has more than one 1 hour time period with 3 SRCH=Q RESULT entries:
re : We do not care about shifts or daylight saving time. If there are any heavy users, they will eventually get captured during the multiple runs, we don't care if we miss a couple of them due to daylight saving, etc.
Should there only be 1 occurrence reported for the user?
re : No, see my response below.
Should there be 1 occurrence reported for every set of 3 SRCH=Q RESULT entries that occur within an hour even if some of the SRCH=Q RESULT entries were used in an earlier report?
re : Yes, there should only 1 occurrence reported for every set of 3 SRCH=Q, once the user is added to the group, the server will not receive further request due to user being added to restricted group.
Should there be 1 occurrence reported for every set of 3 SRCH=Q RESULT entries that occur within an hour but only if none of the SRCH=Q RESULT entries were used in an earlier report?
re : see my response above.
Will every RESULT entry have a corresponding BIND entry?
re : Yes.
Could the corresponding BIND appear in a different log file? If the corresponding BIND is not found, should some kind of diagnostic be printed? (If so, exactly what should the diagnostic be?)
re: If corresponding BIND does not appear, we will not count that search, and have to drop the search.
Can there be more than one search in progress for a given user at any time? (I.e., can there be two or more BIND entries before the RESULT entry shows up corresponding to the first BIND entry?
re: Ideally, there will be only one BIND search at any given point of time.
Will conn=xxx always be in the 3rd field in every line?
re : yes.
Will "BIND" and "RESULT" always appear in the 7th field in every input line? If so, will the 7th field on any line ever contain anything other than "BIND" or "RESULT"?
re : yes. As shown within the logs, all fiels locations are static.
On RESULT lines that contain "SRCH=Q", will that string always be the last field on the line?
Just a little help if possible
I have a table with date data, I want to select dates that fall between today and 1 month ago, here's my query
SELECT id, stdate, DATE_SUB(CURDATE(), INTERVAL 1 month) as monthago, CURDATE() as today
FROM data_table
where (stdate between 'today' and 'monthago')... (4 Replies)
Hi,
I wish to find the latest occurance of the below string in my log file.
Once found, I need to search the below string after the above string
and display this
Request 331489 has passed
or
Request 331489 has failed
I would like my query to be platform... (11 Replies)
Hi,
I need a shell script, which would search the result values from another files.
1)execute " select column1 from table_name" query on the table.
2)Based on the result, need to be grep from .wft files.
could please explain about this.Below is the way i am using.
#!/bin/sh... (4 Replies)
Hi All,
I have a existing Ldap query which take a HOME as variable and gives the result where i grep for a particular line.
ldapsearch -h server_domain_name -p 389 -D "uid=user,ou=appadm,o=ent" -w PaB -b "ou=roles,o=ent" "cidx=$HOME" | grep -w "ent: xyz"
Now i have 330K Homes in a... (1 Reply)
This issue has been causing me a headache all night....
I have a file, from a third party payment vendor, that contains an export of data including an order number (unique) and a payment value, amongst other data. I need to use the order numbers to integrate the database to check the order... (2 Replies)
Hi,
I have a requirement as below which needs to be done viz UNIX shell script
(1) I have to connect to an Oracle database
(2) Exexute "SELECT field_status from table 1" query on one of the tables.
(3) Based on the result that I get from point (2), I have to update another table in the... (6 Replies)
I would like to do an ldap search which looks for entries which do not actually have a certain attribute. Not that the attribute is Null, but where the attribute does not exist.
Is this possible using ldapsearch? (3 Replies)
Assume I have a text file as below:
me
con pi
ind ken
pras ur
me
con rome
ind kent
pras urs
pintu
con mys
ind pan
pras ki
con kit
ind sys
My requirement,
I need to search for "con rome" and if exists, then print 4th word from rome, i.e in above example, since "con rome"... (4 Replies)
