>>> HOSTALIAS REGEXP:172\.26\.(\d{1,3})\.(\d{1,3})$ $1.net
>>>
>>> This will give you an Organization Report that contains a list
>>> <3rdOctet> .net "organizations",
>>>
>>> eg if you have 22 hits from 172.25.147.12, and 36 hits from
>>> 172.26.147.108, then 147.net will be listed with 58 requests.
>>
>> HOSTALIAS REGEXP:(\d+)\.(\d+)\.(\d+) $3.$2.$1.arpa
>
> As I can never get my head round regular expressions, what happened to the
> 4th octet? You haven't anchored your expression to the beginning or end of
> the host string. Is it "safe" to just ignore anything after the 3rd octet?
This uses the perl regex format, which is a greedy matching algorithm.
This means that it uses the first match that it finds on a line. In
the case of an IP address, the above will find the first occurance of
1 or more digits, followed by a period, followed by 1 or more digits,
followed by a period, followed by 1 or more digits, terminated by
any non-digit (including the end of the string, another period, a
letter, or whatever).
> Would this work for unresolved addresses in a log with DNS resolution
> (ignoring ressolved addresses, and only aliasing unresolved addresses?)
This could technically match some domain names in a mixed environment,
since hostnames may legally be all-numeric, except for the TLD. Our log
files only contain IP's, so it's not an issue for us. If you wanted to
limit it to just 4-octet IP's, you could use:
HOSTALIAS REGEXP:^(\d+)\.(\d+)\.(\d+)\.(\d+)$ $3.$2.$1.arpa
This could still match all-numeric strings that weren't valid IP's,
since we didn't specify a limit on the range of digits in each octet
(0-255). I can give you a regex that will do that, but it'll be really
ugly and certainly be overkill.
> Using .arpa is a nice way of addressing the general case, though for an
> intranet using one (or a few) Class C address ranges, sticking with just the
> 3rd octet might be more legible.
It follows the DNS naming scheme for reverse zones, which is
"3rd.2nd.1st.in-addr.arpa". Our organisation uses hundreds of
class C's that exist in at least 3 different class A's, so having
the all of the top three octets listed is necessary. If your subnets
were all localized within a single class B, and you still wanted the
full subnet name displayed without worrying about the hierarchy,
you could do this:
HOSTALIAS REGEXP:^(\d+)\.(\d+)\.(\d+)\.(\d+)$ $3-$2-$1.arpa
or this:
HOSTALIAS REGEXP:^(\d+)\.(\d+)\.(\d+)\.(\d+)$ $1-$2-$3.arpa
(This is untested, but I'm assuming hyphens are valid characters
that won't cause a heirarchy break.)
> http://analog.cx/docs/othreps.html#CHART says:
Yeah, I remembered seeing that, but I couldn't find any way to override
the 10-line limit. Sounds like there isn't one. That's a shame, since
"other" is more than 50% in this case. I wouldn't mind having the top
15-20 listed. Oh well.
--
Ben "Obi-Wan" Hollingsworth [EMAIL PROTECTED]
The stuff of earth competes for the allegiance I owe only to the
Giver of all good things, so if I stand, let me stand on the
promise that You will pull me through. -- Rich Mullins
+------------------------------------------------------------------------
| TO UNSUBSCRIBE from this list:
| http://lists.meer.net/mailman/listinfo/analog-help
|
| Analog Documentation: http://analog.cx/docs/Readme.html
| List archives: http://www.analog.cx/docs/mailing.html#listarchives
| Usenet version: news://news.gmane.org/gmane.comp.web.analog.general
+------------------------------------------------------------------------
