0

I currently use grep to find strings in log output. My new task requires that I find multiple entries in individual files. Specifically MAC address entries attached to a switch port. After running an audit to the network (5k+ devices), I am not worried about finding those files with a single MAC being reported coming in on switch port 1 for example. I am needing to find those files, and output that information, for switches that are learning more than 1 MAC on switch port 1.

Ideally, if I can search for all 48 ports in a single line, that would make my job easier. If I do have to go through the list 48 times, that is not the end of the world.

Thank you guys and gals in advance. Apologies, as this is my first question I've ever asked on this platform.

Example of what I currently do:

grep "ge-0/0/2.0" example1.log
INTERNET       de:ad:be:ef:00:01 Learn       2:21 ge-0/0/2.0
INTERNET       de:ad:be:ef:00:02 Learn          0 ge-0/0/2.0
DATA           de:ad:be:ef:01:01 Learn       4:20 ge-0/0/2.0

grep "ge-0/0/20.0" example1.log
POS            de:ad:be:ef:02:01 Learn          0 ge-0/0/20.0

grep "ge-0/0/2*.0" example1.log
INTERNET       de:ad:be:ef:00:01 Learn       2:21 ge-0/0/2.0
INTERNET       de:ad:be:ef:00:02 Learn          0 ge-0/0/2.0
DATA           de:ad:be:ef:01:02 Learn          0 ge-0/0/30.0
DATA           de:ad:be:ef:01:01 Learn       4:20 ge-0/0/2.0
POS            de:ad:be:ef:02:02 Learn          0 ge-0/0/10.0
POS            de:ad:be:ef:02:01 Learn          0 ge-0/0/20.0

But going that raw info can get tedious and mistakes get made. All of my switches start with the same 2 letters, so that makes it easier until I look at the output of it. The single line entries like for ge-0/0/20.0 above get easily mixed in.

What I am exactly looking for from the example above would be:

INTERNET       de:ad:be:ef:00:01 Learn       2:21 ge-0/0/2.0
INTERNET       de:ad:be:ef:00:02 Learn          0 ge-0/0/2.0
DATA           de:ad:be:ef:01:01 Learn       4:20 ge-0/0/2.0
Thadion
  • 1
  • How is your expected output different from the grep "ge-0/0/2.0" example1.log output? – deimos Jun 14 '19 at 15:41
  • Also, wenn in grep, do not use the * asterics symbol when you mean any number of any characters. Use .* instead. . stands for any character and * stands for anything. So the grep "ge-0/0/2.*.0" example1.log will give you ge-0/0/2.0 and ge-0/0/20.0, but not ge-0/0/30.0 – deimos Jun 14 '19 at 15:50
  • @deimos the expected output for ge-0/0/2.0 is just showing that ge-0/0/2.0 has multiple entries as opposed to ge-0/0/20.0 or ge-0/0/30.0 – Thadion Jun 14 '19 at 16:04
  • @deimos noted about using the period over the asterisk. Old habits that still work. – Thadion Jun 14 '19 at 16:08
  • @Thadion But the grep "ge-0/0/2.0" example1.log already gives you that. What is your question? – deimos Jun 14 '19 at 16:11
  • @deimos I have to do this for 48 ports across 5k devices. If someone here knows a better way to do it, that would be great. Maybe my question doesn't make sense though. – Thadion Jun 14 '19 at 16:14
  • The question is fine, but the examples are a bit confusing. Anyway, does multiple pattern grep works for you? – deimos Jun 14 '19 at 16:18
  • I guess multiple pattern would work. I'm just looking for more than one entry on a port. The thing with a MAC address is that it is unique. The port numbers are not. They are standard. – Thadion Jun 14 '19 at 16:35

1 Answers1

1

I suppose you're looking for a multiple pattern grep.

grep 'pattern1\|pattern2' logfile

OR

grep -E 'pattern1|pattern2' logfile

The number of patterns can be as long as you want. It will print lines that match pattern1 OR pattern2.

deimos
  • 683
  • Personally I prefer egrep to grep -E as it's faster to type. – zjeffer Jun 14 '19 at 15:37
  • 1
    @zjeffer egrep is deprecated and so you shouldn't rely on it always being present, see https://unix.stackexchange.com/a/383454/133219 and http://pubs.opengroup.org/onlinepubs/9699919799/utilities/grep.html. – Ed Morton Jun 16 '19 at 14:43
  • @EdMorton would alias egrep="grep -E" work? – zjeffer Jun 16 '19 at 15:19
  • 1
    @zjeffer Yes it would but you'll find yourself logging onto/porting script to new machines and trying to run egrep and it's not there. You're better off just getting used to calling grep -E to use EREs in grep just like you'd call sed -E to use EREs in sed. – Ed Morton Jun 16 '19 at 15:26