从你给出的log数据来看: [hostname_linux_a2] /home/user/script.sh
像以上这样的脚本运行记录是比较固定且和其他类型内容有区别的,所以可以用正则(假设主机名只包含字母,数字,下划线,点,横线): $line =~ /^\[([\w.-]+)\]\s*[^\s].*$/ 来进行匹配,此时 $1 匹配到 hostname_linux_a2, 你可以用一个hash,以匹配到的主机名作为key,在下一次该正则表达式匹配成功前,将通过fayland的代码得到的 message-log 或者 apachelog 之类的内容存进 hash 中,这样便如你所要求的一样按主机名分组了 如果日志量大,不妨以组为单位格式化好你的数据进行输出,并清空这组涉及到的数组等数据,以免占用过多内存。 2010/1/10 Gary.jsz <[email protected]> > 如果我的数据是这样的: > > [hostname_linux_a1] /home/user/script.sh > ----------messages---------------- > Jan 9 05:30:13 linux-lhkq sshd[5118]: Accepted keyboard-interactive/pam > for root from 192.168.44.1 port 2394 ssh2 > > ----------apache-log---------------- > 127.0.0.1 - - [09/Jan/2011:07:00:16 +0800] "GET / HTTP/1.0" 403 1045 "-" > "ApacheBench/2.0.40-dev" > > ###################################################### > ###############mail-log############################### > Jan 3 19:21:17 linux-lhkq postfix/postfix-script: starting the Postfix > mail system > > [hostname_linux_a2] /home/user/script.sh > ----------messages---------------- > Jan 9 05:30:13 linux-lhkq sshd[5118]: Accepted keyboard-interactive/pam > for root from 192.168.44.1 port 2394 ssh2 > > ----------apache-log---------------- > 127.0.0.1 - - [09/Jan/2011:07:00:16 +0800] "GET / HTTP/1.0" 403 1045 "-" > "ApacheBench/2.0.40-dev" > > ###################################################### > ###############mail-log############################### > Jan 3 19:21:17 linux-lhkq postfix/postfix-script: starting the Postfix > mail system > > [hostname_linux_a3] /home/user/script.sh > ----------messages---------------- > Jan 9 05:30:13 linux-lhkq sshd[5118]: Accepted keyboard-interactive/pam > for root from 192.168.44.1 port 2394 ssh2 > > ----------apache-log---------------- > 127.0.0.1 - - [09/Jan/2011:07:00:16 +0800] "GET / HTTP/1.0" 403 1045 "-" > "ApacheBench/2.0.40-dev" > > ###################################################### > ###############mail-log############################### > Jan 3 19:21:17 linux-lhkq postfix/postfix-script: starting the Postfix > mail system > > > 多了一个:[hostname_linux_a3] /home/user/script.sh > 行,中括号里面的是主机名,那么我如何按照主机命来分组这些信息。 > 比如: @hostname_linux_a1的内容为: [hostname_linux_a1] /home/user/script.sh > 与[hostname_linux_a2] /home/user/script.sh 之间的数据。 > > > > > > > ======= 2011-01-06 18:03 Fayland Lam 您在来信中写到:Re: [PerlChina] 一个关于配置刷选的问题 > ======= > > that's pretty simple like: > > my $section_now; > my (@messages, @mail_log, @apache_log); > while (my $line = <$fh>) { > if ($line =~ /^(\-+)messages(\-+)$/) { > $section_now = 'messages'; next; > } elsif ($line =~ /^(\-+)apache\-log(\-+)$/) { > $section_now = 'apache-log'; next; > } elsif ($line =~ s/^(\#+)mail\-log(\#+)$/) { > $section_now = 'mail-log'; next; > } > next unless $section_now; # before ---messages--- > next if $line =~ /^\#+$/; the ########## line > if ($section_now eq 'message') { > push @messages, $line; > } elsif ($section eq 'apache-log') { > push @apache_log, $line; > } > } > > OK. untested. but basically the above should work for you. > > Thanks > > 2011/1/6 Gary.jsz <[email protected]>: > > 大家好! > > > > 有个问题比较疑惑,不知道怎么处理了,还请指点指点。 > > > > 我有一个文件,内容如下: > > > > ----------messages---------------- > > Jan 9 05:30:13 linux-lhkq sshd[5118]: Accepted keyboard-interactive/pam > for > > root from 192.168.44.1 port 2394 ssh2 > > Jan 9 06:01:25 linux-lhkq syslog-ng[3412]: STATS: dropped 0 > > Jan 9 06:01:38 linux-lhkq zmd: ShutdownManager (WARN): Preparing to > > sleep... > > Jan 9 06:01:38 linux-lhkq zmd: ShutdownManager (WARN): Going to sleep, > > waking up at 01/10/2011 04:51:38 > > Jan 9 06:31:00 linux-lhkq kernel: ISO 9660 Extensions: Microsoft Joliet > > Level 3 > > Jan 9 06:31:00 linux-lhkq kernel: ISO 9660 Extensions: RRIP_1991A > > Jan 9 06:56:50 linux-lhkq shadow[9035]: group is unknown - > group=wwwadmin, > > by=0 > > Jan 9 06:56:50 linux-lhkq shadow[9036]: default group changed - > > account=wwwrun, uid=30, gid=8, old gid=8, by=0 > > Jan 9 06:56:50 linux-lhkq shadow[9037]: shell changed - account=wwwrun, > > uid=30, shell=/bin/false, old shell=/bin/false, by=0 > > Jan 9 07:01:25 linux-lhkq syslog-ng[3412]: STATS: dropped 0 > > > > > > ----------apache-log---------------- > > 127.0.0.1 - - [09/Jan/2011:07:00:16 +0800] "GET / HTTP/1.0" 403 1045 "-" > > "ApacheBench/2.0.40-dev" > > 127.0.0.1 - - [09/Jan/2011:07:00:16 +0800] "GET / HTTP/1.0" 403 1045 "-" > > "ApacheBench/2.0.40-dev" > > 127.0.0.1 - - [09/Jan/2011:07:00:16 +0800] "GET / HTTP/1.0" 403 1045 "-" > > "ApacheBench/2.0.40-dev" > > 127.0.0.1 - - [09/Jan/2011:07:00:16 +0800] "GET / HTTP/1.0" 403 1045 "-" > > "ApacheBench/2.0.40-dev" > > 127.0.0.1 - - [09/Jan/2011:07:00:06 +0800] "GET / HTTP/1.0" 403 1045 "-" > > "ApacheBench/2.0.40-dev" > > 127.0.0.1 - - [09/Jan/2011:07:00:16 +0800] "GET / HTTP/1.0" 403 1045 "-" > > "ApacheBench/2.0.40-dev" > > > > > > ###################################################### > > ###############mail-log############################### > > Jan 3 19:21:17 linux-lhkq postfix/postfix-script: starting the Postfix > mail > > system > > Jan 3 19:21:17 linux-lhkq postfix/master[4648]: daemon started -- version > > > 2.2.9, configuration /etc/postfix > > Jan 4 14:16:41 linux-lhkq postfix/postfix-script: starting the Postfix > mail > > system > > Jan 4 14:16:42 linux-lhkq postfix/master[4632]: daemon started -- version > > > 2.2.9, configuration /etc/postfix > > Jan 4 15:52:46 linux-lhkq postfix/master[4632]: terminating on signal 15 > > Jan 7 19:19:58 linux-lhkq postfix/postfix-script: starting the Postfix > mail > > system > > Jan 7 19:19:59 linux-lhkq postfix/master[4628]: daemon started -- version > > > 2.2.9, configuration /etc/postfix > > Jan 7 19:24:37 linux-lhkq postfix/master[4628]: terminating on signal 15 > > Jan 9 05:01:32 linux-lhkq postfix/postfix-script: starting the Postfix > mail > > system > > Jan 9 05:01:33 linux-lhkq postfix/master[4573]: daemon started -- version > > > 2.2.9, configuration /etc/postfix > > > > > > > > 我想把各个块下面的内容输出到一个列表,不知道怎么操作。 > > > > 结果如: > > > > @messages的内容是 messages段下面(apache-log上面)的内容 > > @apache-log的内容为apache-log与mail-log之间的内容 > > ....... > > > > > > > > 先谢谢了! > > > > -- > > 您收到此邮件是因为您订阅了 Google 网上论坛的"PerlChina Mongers 讨论组"论坛。 > > 要向此网上论坛发帖,请发送电子邮件至 [email protected]。 > > 要取消订阅此网上论坛,请发送电子邮件至 > > [email protected]<perlchina%[email protected]>。 > > > 若有更多问题,请通过 http://groups.google.com/group/perlchina?hl=zh-CN 访问此网上论坛。 > > > > > > -- > Fayland Lam // http://www.fayland.org/ > > -- > 您收到此邮件是因为您订阅了 Google 网上论坛的"PerlChina Mongers 讨论组"论坛。 > 要向此网上论坛发帖,请发送电子邮件至 [email protected]。 > 要取消订阅此网上论坛,请发送电子邮件至 > [email protected]<perlchina%[email protected]>。 > > 若有更多问题,请通过 http://groups.google.com/group/perlchina?hl=zh-CN 访问此网上论坛。 > > . > > > = = = = = = = = = = = = = = = = = = = = > > ------------------------------ > 深圳市傲冠软件股份有限公司 运营部 蒋士竹 > ---------------------------------------------------------- > *Address*: 深圳市福田区深南大道6015号本元大厦16楼 518040 > *Tel*: (0)13816642255 *MSN*: [email protected] > *Email*: [email protected] *Website*: www.skybility.com > > -- > 您收到此邮件是因为您订阅了 Google 网上论坛的“PerlChina Mongers 讨论组”论坛。 > 要向此网上论坛发帖,请发送电子邮件至 [email protected]。 > 要取消订阅此网上论坛,请发送电子邮件至 > [email protected]<perlchina%[email protected]> > 。 > 若有更多问题,请通过 http://groups.google.com/group/perlchina?hl=zh-CN 访问此网上论坛。 > -- 您收到此邮件是因为您订阅了 Google 网上论坛的“PerlChina Mongers 讨论组”论坛。 要向此网上论坛发帖,请发送电子邮件至 [email protected]。 要取消订阅此网上论坛,请发送电子邮件至 [email protected]。 若有更多问题,请通过 http://groups.google.com/group/perlchina?hl=zh-CN 访问此网上论坛。
