extracting a similar but changing pattern
72 views
Skip to first unread message
DiBello Design
Jul 26, 2022, 8:55:41 PM7/26/22
to BBEdit Talk
greetings. Newbe trying to extract ip addresses from a log file.
Ip addresses are all different. They are at the end of each line with a c= preface. like c=38.133.119.165
[Tue Jul 26 19:09:37.658083 2022] [qos:error] [pid 1197:tid 47464083257088] mod_qos(034): access denied, QS_SrvMinDataRate rule (in:0): min=246, this connection=0, c=70.160.126.199
Ip addresses are all different. They are at the end of each line with a c= preface. like c=38.133.119.165
the actual lines look like this:
[Tue Jul 26 19:09:37.711177 2022] [qos:error] [pid 1330:tid 47464083257088] mod_qos(034): access denied, QS_SrvMinDataRate rule (in:0): min=246, this connection=0, c=38.133.119.165
how do I remove everything from the line except c=xx.xx.xx.xx ?
Tom Robinson
Jul 26, 2022, 10:11:20 PM7/26/22
to BBEdit Talk
Do a search for:
^.*(c=[0-9.]+)$
^ anchor pattern to beginning of line
.* any number of any character
() capture buffer — copy anything inside the brackets to ‘\1'
[0-9.] look for any of these characters
+ 1 or more times
$ end of line
and replace the entire match (i.e. line) with the capture buffer:
\1
You could make the IP match more exact, but I don’t think the complexity is warranted.
Cheers
Kjetil Rå Hauge
Jul 27, 2022, 8:18:00 AM7/27/22
to BBEdit Talk
How about a grep search for:
c=[0-9]{2}\.[0-9]{3}\.[0-9]{3}\.[0-9]{3}
... and use the command "Extract" in the Find menu?
________________________________________
From: bbe...@googlegroups.com <bbe...@googlegroups.com> on behalf of DiBello Design <dibell...@gmail.com>
Sent: 27 July 2022 02:55
To: BBEdit Talk
Subject: extracting a similar but changing pattern
--
This is the BBEdit Talk public discussion group. If you have a feature request or need technical support, please email "sup...@barebones.com" rather than posting here. Follow @bbedit on Twitter: <https://twitter.com/bbedit>
---
You received this message because you are subscribed to the Google Groups "BBEdit Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bbedit+un...@googlegroups.com<mailto:bbedit+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/bbedit/959c2444-b493-492f-b824-7f0278a2b468n%40googlegroups.com<https://groups.google.com/d/msgid/bbedit/959c2444-b493-492f-b824-7f0278a2b468n%40googlegroups.com?utm_medium=email&utm_source=footer>.
c=[0-9]{2}\.[0-9]{3}\.[0-9]{3}\.[0-9]{3}
... and use the command "Extract" in the Find menu?
________________________________________
From: bbe...@googlegroups.com <bbe...@googlegroups.com> on behalf of DiBello Design <dibell...@gmail.com>
Sent: 27 July 2022 02:55
To: BBEdit Talk
Subject: extracting a similar but changing pattern
This is the BBEdit Talk public discussion group. If you have a feature request or need technical support, please email "sup...@barebones.com" rather than posting here. Follow @bbedit on Twitter: <https://twitter.com/bbedit>
---
You received this message because you are subscribed to the Google Groups "BBEdit Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bbedit+un...@googlegroups.com<mailto:bbedit+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/bbedit/959c2444-b493-492f-b824-7f0278a2b468n%40googlegroups.com<https://groups.google.com/d/msgid/bbedit/959c2444-b493-492f-b824-7f0278a2b468n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Rod Buchanan
Jul 27, 2022, 10:38:02 AM7/27/22
to 'Dmitry Markman' via BBEdit Talk
In the Find dialog click the lowercase "g" dropdown and select "Dotted Quad":
(\d+\.){3}\d+
Modify it:
(c=(\d+\.){3}\d+)
Then click "Extract" as Kjetil suggested.
--
This is the BBEdit Talk public discussion group. If you have a feature request or need technical support, please email "sup...@barebones.com" rather than posting here. Follow @bbedit on Twitter: <https://twitter.com/bbedit>
---
You received this message because you are subscribed to the Google Groups "BBEdit Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bbedit+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bbedit/959c2444-b493-492f-b824-7f0278a2b468n%40googlegroups.com.
DiBello Design
Jul 27, 2022, 11:29:32 AM7/27/22
to bbe...@googlegroups.com
thanks everyone! Trying to find patterns in a SlowLoris attack on my server.
Rod you were correct in that I did not know about the quadded item in the menu. And your suggestion worked as well. Thanks.
You received this message because you are subscribed to a topic in the Google Groups "BBEdit Talk" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/bbedit/RxzJ-7VG7aE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to bbedit+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bbedit/6D9A2221-3943-4FF1-B946-7207FE2E04BF%40sofstats.com.
--
Rod Buchanan
Jul 27, 2022, 4:10:03 PM7/27/22
to 'Dmitry Markman' via BBEdit Talk
^.*?(c=(\d+\.){3}\d+).*$
Replace:
\1
This will delete everything on the line except "c=IP address".
HTH,
To view this discussion on the web visit https://groups.google.com/d/msgid/bbedit/CADU6VFOWUwWv2hXPA%2BBv62NCKeXmDvUKsOHXasFCx_v4GxgZow%40mail.gmail.com.
DiBello Design
Jul 27, 2022, 4:31:09 PM7/27/22
to bbe...@googlegroups.com
I didn't articulate my question properly. I'm having no trouble (thanks to everyone) extracting the ip addresses.
My last question was how to just move the ip address at the end to the beginning of the line like:[Tue Jul 26 19:13:40.922101 2022] [qos:error] [pid 1197:tid 47464083257088] mod_qos(034): access denied, QS_SrvMinDataRate rule (in:0): min=158, this connection=0, c=67.86.3.124
to
67.86.3.124 [Tue Jul 26 19:13:40.922101 2022] [qos:error] [pid 1197:tid 47464083257088] mod_qos(034): access denied, QS_SrvMinDataRate rule (in:0): min=158, this connection=0, c=
To view this discussion on the web visit https://groups.google.com/d/msgid/bbedit/116AB50E-C6EA-411D-8B41-F1B4FA3BE681%40sofstats.com.
Watts Martin
Jul 27, 2022, 5:09:28 PM7/27/22
to bbe...@googlegroups.com
It looks like you can do that by searching for
^(.+?)((\d+\.){3}\d+)$
and replacing it with
\2 \1
That basically captures two search items: the first is everything from the start of the line up to the IP address, and the second is the IP address.
Tom Robinson
Jul 27, 2022, 5:11:12 PM7/27/22
to BBEdit Talk
Similar to before, you just need 2 capture buffers:
^(.*)c=([0-9.]+)$
Replace with:
\2 \1
You could also just copy the IP to the start:
^.*c=([0-9.]+)$
Replace with capture buffer followed by entire match:
\1 &
Cheers
To view this discussion on the web visit https://groups.google.com/d/msgid/bbedit/CADU6VFMAiLZzm3Zp_aoR7F6mpqgRxMEMNrwpa7pKRvoV9bGRbw%40mail.gmail.com.
DiBello Design
Jul 27, 2022, 6:10:44 PM7/27/22
to bbe...@googlegroups.com
that did it! thanks Watts. and of course everyone else who expanded my usage of BBEdit. Been using BBEdit for 20 years as a web designer but have limited grep regex experience.
--
This is the BBEdit Talk public discussion group. If you have a feature request or need technical support, please email "sup...@barebones.com" rather than posting here. Follow @bbedit on Twitter: <https://twitter.com/bbedit>
---
You received this message because you are subscribed to a topic in the Google Groups "BBEdit Talk" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/bbedit/RxzJ-7VG7aE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to bbedit+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bbedit/CA%2BGozv3HP7xwTmDcdU%2Bn%3DVp%2BQpK_QCCjtAmaaUR8h1XZ6RTGxQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages