Ways to parse NCSA combined based log files

Using Perl, tested on v5.10.0 built for darwin-thread-multi-2level (OSX)

To print the UserAgent column:

perl -n -e '/^([^ ]+) ([^ ]+) ([^ ]+) (\[[^\]]+\]) "(.*) (.*) (.*)" ([0-9\-]+) ([0-9\-]+) "(.*)" "(.*)"/; print "$11\n"' -- test.log

• option -n while each line in test.log
• option -e one line program

I stole and tweaked the perlre which I Googled from the PHP cookbook. I removed the $ from the end of the re to support custom formats based on NCSA combined. The pattern can be easily extended to provide more groups.

The regular expression groups () end up as local variables $1 to $n

Quick and dirty and very easy to extend and script.

Some examples of piping the output:

• | sort | uniq unique column values
• | sort | uniq | wc -l unique column count

Critique and improvements welcome

Although it doesn't directly address text qualification, one factor that can be taken advantage of in the combined format is that the remaining space delimited columns are consistently in the same column. You can therefore work around the problem by using a loop with printf and NF (number of columns)

According to awk, $0 is the entire input line, $1 is the first column, $2 is the second, and $NF is the last.

So for a standard NCSA combined, user agent is columns $13 through to column $NF

I needed to remove the first column and swap it with the last column of a modified log format (proxied IP was addied to the last column).

So what should be returned was the $NF column, followed by the second column ($2), and then the remaining columns through to NF - 1

I was able to do that with the following:-

awk '{ printf "%s ", $NF; for (i=2; i<=NF-1; i++) printf "%s ", $i; printf "\n";}' < /var/log/nginx/access.log