Given this text in packet.test2
May 16 21:35:35 www kernel: icmp_try IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=144.232.20.162
DST=192.168.1.95 LEN=56 TOS=0x00 PREC=0xC0 TTL=241 ID=57923 PROTO=ICMP TYPE=11
CODE=0 [SRC=66.76.12.5 DST=200.216.94.217 LEN=40 TOS=0x00 PREC=0x00 TTL=1
ID=25653 PROTO=TCP INCOMPLETE [8 bytes] ]
May 16 21:54:39 www kernel: icmp_try IN=eth0 OUT=
MAC=00:d0:09:3d:69:81:00:04:5a:ef:5e:1d:08:00 SRC=144.232.7.98
DST=192.168.1.95 LEN=56 TOS=0x00 PREC=0x00 TTL=239 ID=0 PROTO=ICMP TYPE=11
CODE=0 [SRC=66.76.12.5 DST=200.222.69.36 LEN=40 TOS=0x00 PREC=0x00 TTL=1
ID=62986 PROTO=TCP INCOMPLETE [8 bytes] ]
Why does this command
$ grep -i "`date '+%b %_d'`" packet.test2 | sed -re 's/.*SRC=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]).*/\1/' 66.76.12.5 66.76.12.5
pick up the second SRC rather than the first?
I'm not a sed expert, but I'm guessing it's behaving "greedy", similar to perl regex. The first SRC actually falls within the ".*" portion of your match, and the last match is what counts.
-- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
