AWK -一次匹配多个模式

Question

我正在处理CSV文件，以找到“duser=”、“dhost=”和“dproc=”之类的模式，并在之后找到打印的下一个字符串。由于CSV文件的内容不是常数，所以我必须首先使用模式匹配。字段分隔符也不是固定的。请考虑CSV文件包含CEF格式的日志，并包含更多其他模式和值。样本日志格式：

CEF:0|Microsoft|Microsoft Windows|Windows 7|Microsoft-Windows-Security-Auditing:4688|A new process has been created.|Low| eventId=1010044130 externalId=4688 msg=Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.Type 1 is a full token with no privileges removed or groups disabled. Type 2 is an elevated token with no privileges removed or groups disabled.Type 3 is a limited token with administrative privileges removed and administrative groups disabled. type=1 start=1523950846517 categorySignificance=/Informational categoryBehavior=/Execute/Start categoryDeviceGroup=/Operating System catdt=Operating System categoryOutcome=/Success categoryObject=/Host/Resource/Process art=1523950885975 cat=Security deviceSeverity=Audit_success rt=1523950863727 dhost=A-Win7Test.*****.net dst=**.**.**.46 destinationZoneURI=/All Zones/ArcSight System/Public Address Space Zones/******* dntdom=****** oldFileHash=en_US|UTF-8 cnt=5 cs2=Process Creation cs6=TokenElevationTypeDefault (1) cs1Label=Mandatory Label cs2Label=EventlogCategory cs3Label=New Process ID cs4Label=Process Command Line cs5Label=Creator Process ID cs6Label=Token Elevation Type ahost=a-server09.****.net agt=**.**.**.9 agentZoneURI=/All Zones/ArcSight System/Public Address Space Zones/******** amac=00-50-56-B8-4F-BB av=7.7.0.8044.0 atz=GMT at=winc dvchost=A-Win7Test.*****.net dvc=**.**.**.46 deviceZoneURI=/All Zones/ArcSight System/Public Address Space Zones/********** deviceNtDomain=***** dtz=GMT _cefVer=0.1 aid=3AaTkhlEBABCABcfWDDqDbw\=\=

参考文献：https://community.softwaregrp.com/t5/ArcSight-User-Discussions/Issue-with-Windows-Event-4688/td-p/1641345

看来下面的命令起作用了：

... | awk 'sub(/.*duser=/,""){print "User:",$1}

但是，它只适用于第一种模式。执行后，您可以猜到，没有更多的行要处理。是否有任何选项可以以不同的模式执行上述命令3次，以获得3列的列表？

我要做到：

duser=AAA dhost=BBB dproc=CCC
duser=DDD dhost=EEE dproc=FFF
duser=GGG dhost=HHH dproc=III

感谢你的帮助，谢谢

Answer 1

是像这样吗？

$ cat file
duser=AAA dhost=BBB dproc=CCC
duser=DDD dhost=EEE dproc=FFF
duser=GGG dhost=HHH dproc=III

$ awk '{print gensub("duser=([^ \t,]+)[ \t,]+dhost=([^ \t,]+)[ \t,]+dproc=([^ \t,]+)", "User: \\1, Host: \\2, Proc: \\3
", 1);}' file
User: AAA, Host: BBB, Proc: CCC
User: DDD, Host: EEE, Proc: FFF
User: GGG, Host: HHH, Proc: III

如果这三个部分在不同的位置和不同的序列中，那么尝试如下：

awk '{match($0,"duser=([^ \t,]+)",user);  match($0,"dhost=([^ \t,]+)",host);  match($0,"dproc=([^ \t,]+)",proc);  print "User: " user[1] ", Host: " host[1] ", Proc: " proc[1];}' file

在问其他问题之前，请先阅读mcve。

Answer 2

您可以尝试Perl。

$ cat lack_of_threat.txt
duser=AAA dhost=BBB dproc=CCC
duser=DDD dhost=EEE dproc=FFF
duser=GGG dhost=HHH dproc=III
$ perl -ne ' /duser=(\S+)\s*dhost=(\S+)\s*dproc=(\S+)/; print "User:$1, Host:$2, Proc:$3\n" ' lack_of_threat.txt
User:AAA, Host:BBB, Proc:CCC
User:DDD, Host:EEE, Proc:FFF
User:GGG, Host:HHH, Proc:III
$