Extract ip address ,

bigfixforum · September 28, 2020, 3:04pm

I am trying to pull the ip address or extract whole word which has dots from the chrony.conf.

Q: ((lines of file “/etc/chrony.conf”) whose (it contains “server” AND it does not contain “#” ) )
A: server 11.165.48.29 prefer iburst minpoll 4 maxpoll 4 xleave
A: server 13.165.144.30 prefer iburst minpoll 4 maxpoll 4 xleave
A: server 12.254.254.233 prefer iburst minpoll 4 maxpoll 4 xleave
T

not sure how to put this “unique values of matches (regex “([0-9]{1,3}[.]){3}[0-9]{1,3}”) of lines” with above query or extract the word which has “dots”

trn · September 29, 2020, 7:51am

To find the lines which contain “server”, do not contains “#” and also contain something that looks like an IP address

Q: (lines of file "/etc/chrony.conf") whose (it contains "server" AND it does not contain "#" and exists regex ("([0-9]{1,3}\.){3}[0-9]{1,3}"))
A: server 11.165.48.29 prefer iburst minpoll 4 maxpoll 4 xleave
A: server 13.165.144.30 prefer iburst minpoll 4 maxpoll 4 xleave
A: server 12.254.254.233 prefer iburst minpoll 4 maxpoll 4 xleave

You could probably do all of the filtering using regex.

To extract just the IP Addresses

Q: parenthesized parts 1 of matches (regex "\s(([0-9]{1,3}\.){3}[0-9]{1,3})\s") of  (lines of file "/etc/chrony.conf") whose (it contains "server" AND it does not contain "#" and exists regex ("([0-9]{1,3}\.){3}[0-9]{1,3}"))
A: 11.165.48.29
A: 13.165.144.30
A: 12.254.254.233

bigfixforum · September 29, 2020, 1:10pm

Thanks. But our ntp setting all over the places. It has IP address and fqdn.

This regex work with grep but not with query

$ grep “^server” /tmp/ntp.conf |grep -oE “\S+.\S*”
ntp.ops.aa-cc.org
10.254.254.233
10.254.254.231
ntp.ops.aa-cc1.org
1.rhel.pool.ntp.org
127.127.1.0
10.254.254.232
143.165.48.29
1.rhel.pool.ntp.org
2.rhel.pool.ntp.org

Q: matches (regex “\S+.\S*”) of (lines of file “/tmp/ntp.conf”) whose (it contains regex “^server” AND exists regex (“\S+.\S*”) )
A: ntp.ops.aa-cc.org
A: tp.ops.aa-cc.org
A: p.ops.aa-cc.org
A: .ops.aa-cc.org
A: ops.aa-cc.org
A: ps.aa-cc.org
A: s.aa-cc.org
A: .aa-cc.org
…

trn · September 29, 2020, 3:01pm

Your original request just had IP addresses and a regex that looked like an IP Address

I’m sure you could use the relevance above and plug your regex expression in.

bigfixforum · September 29, 2020, 3:06pm

this is baffling me… same query works fine in linux but not in solaris/hp-ux/aix.

Solaris10/ besclient9.5.x
Q: (lines of file “/etc/inet/ntp.conf”) whose (it contains regex “^server” AND exists regex (“\S+.\S*”) )
A: server 10.25.25.1
A: server 10.25.25.2
A: server 10.25.25.3
T: 3685

Q: matches (regex “\s(\S+).\w*”) of (lines of file “/etc/inet/ntp.conf”) whose (it contains regex “^server” AND exists regex (“\S+.\S*”) )
T: 3783

Hp-UX besclient9.2
Q: (lines of file “/home/salathi/1”) whose (it contains regex “^server” AND exists regex (“\S+.\S*”) )
A: server time1.xyz.com
A: server time2.xyz.com
T: 85655

Q: matches (regex “\s(\S+).\w*”) of (lines of file “/home/salathi/1”) whose (it contains regex “^server” AND exists regex (“\S+.\S*”) )
T: 12710

linux besclient9.5.x
Q: matches (regex “\s(\S+).\w*”) of (lines of file “/home/salathi/1”) whose (it contains regex “^server” AND exists regex (“\S+.\S*”) )
A: time1.xyz.com
A: time2.xyz.com
T: 4437

AIX besclien9.5
Q: matches (regex “\s(\S+).\w*”) of (lines of file “/etc/ntp.conf”) whose (it contains regex “^server” AND exists regex (“\S+.\S*”) )
T: 10127

Q: (lines of file “/etc/ntp.conf”) whose (it contains regex “^server” AND exists regex (“\S+.\S*”) )
A: server 10.25.25.233
T: 1976

bigfixforum · September 29, 2020, 3:11pm

sorry about the initial question… I realize that ntp has all kind of setting in it. initially I thought it just has IP address.

trn · September 29, 2020, 3:15pm

parenthesized parts 1 of matches (regex “^server\s(\S+.\S+)\s”) of (lines of file “/etc/chrony.conf”)

bigfixforum · September 29, 2020, 3:21pm

no charm so far.

Q: parenthesized parts 1 of matches (regex “^server \s(\S+.\S+)\s”) of (lines of file “/etc/ntp.conf”)
T: 7415

Q: parenthesized parts 1 of matches (regex “^server\s(\S+.\S+)\s”) of (lines of file “/etc/inet/ntp.conf”)
T: 3226

Q: parenthesized parts 1 of matches (regex “^server \s(\S+.\S+)\s”) of (lines of file “/etc/inet/ntp.conf”)
T: 5037

trn · September 29, 2020, 3:26pm

I omitted to format my last post - and it lost something vital

parenthesized parts 1 of matches (regex "^server\s(\S+\.\S+)\s") of  (lines of file "/etc/chrony.conf")

bigfixforum · September 29, 2020, 3:33pm

still giving some grief. the regex is “”^server\s(\S+.\S+)\s"" - some how it messing up while pasting it. there is backslash before dot

this is linux
$ grep “^server” /etc/ntp.conf
server 10.254.254.233
$ grep “^server” /tmp/ntp.conf
server ntp.ops.aa-cc.org # ntp
server 10.254.254.233
server 10.254.254.231 prefer iburst burst minpoll 4 maxpoll 4
server ntp.ops.aa-cc1.org # ntp
server 1.rhel.pool.ntp.org prefer iburst burst minpoll 4 maxpoll 4
server 127.127.1.0 # local clock
server 10.254.254.232 prefer iburst burst minpoll 4 maxpoll 4
server 143.165.48.29 iburst burst minpoll 4 maxpoll 4
server 1.rhel.pool.ntp.org iburst burst minpoll 4 maxpoll 4
server 2.rhel.pool.ntp.org iburst burst minpoll 4 maxpoll 4

Q: parenthesized parts 1 of matches (regex “^server\s(\S+.\S+)\s”) of (lines of file “/etc/ntp.conf”)
T: 1043

Q: parenthesized parts 1 of matches (regex “^server\s(\S+.\S+)\s”) of (lines of file “/tmp/ntp.conf”)
A: ntp.ops.aa-cc.org
A: 10.254.254.231
A: ntp.ops.aa-cc1.org
A: 1.rhel.pool.ntp.org

This is aix
$grep “^server” /etc/ntp.conf
server 10.254.254.233
$/opt/BESClient/bin/qna
Default masthead location, using /etc/opt/BESClient/actionsite.afxm
Unable to open masthead for FIPS mode, defaulting to disabled

Q: parenthesized parts 1 of matches (regex “^server\s(\S+.\S+)\s”) of (lines of file “/etc/ntp.conf”)
T: 6555

trn · September 29, 2020, 3:39pm

OK, so your config files sometimes contain something after the name/ip address, somethimes not.

parenthesized parts 1 of matches (regex "^server\s(\S+\.\S+)") of lines of file "/etc/ntp.conf"

bigfixforum · September 29, 2020, 3:42pm

yah its mess all over . It has comment after the ip or it has fqdn or ntp commands. not consistent across the board.

bigfixforum · September 29, 2020, 3:46pm

it works in linux not in aix/solaris.

Q: parenthesized parts 1 of matches (regex “^server\s(\S+.\S+)”) of lines of file "/etc/ntp.conf"
T: 1896

Q: parenthesized parts 1 of matches (regex “^server\s(\S+.\S+)”) of lines of file "/etc/inet/ntp.conf"
T: 26291

Q: parenthesized parts 1 of matches (regex “^server\s(\S+.\S+)”) of lines of file "/etc/ntp.conf"
A: 10.254.254.233
T: 1352

bigfixforum · September 29, 2020, 5:22pm

I have split it out depend on the OS… same regex just wont work across the diff OS’s

if (name of operating system contains “Linux”)
then (
if (exist file “/etc/ntp.conf”)
then concatenation “:” of (matches (regex “\s(\S+).\w*”) of (lines of file “/etc/ntp.conf”) whose (it contains regex “^server” ))
else
concatenation “:” of (matches (regex “\s(\S+).\w*”) of (lines of file “/etc/chrony.conf”) whose (it contains regex “^server” ))
)
else if (name of operating system contains “SunOS”)
then
concatenation “:” of ((concatenation “” of substrings separated by “server” of it) of (lines of file “/etc/inet/ntp.conf”) whose (it contains regex “^server” ))
else if (name of operating system contains “AIX”)
then
concatenation “:” of ((concatenation “” of substrings separated by “server” of it) of (lines of file “/etc/ntp.conf”) whose (it contains regex “^server” ))
else if (name of operating system contains “HP-UX”)
then
concatenation “:” of ((concatenation “” of substrings separated by “server” of it) of (lines of file “/etc/ntp.conf”) whose (it contains regex “^server” ))
else NotFound

JasonWalker · September 30, 2020, 4:06pm

The regex queries depend on underlying OS libraries; while shortcuts like \s work on most, the only guarantee I know of is POSIX-compliant regular expressions.

Instead of \s for spaces, try the POSIX [[:space:]]

edit: [[:space:]] not [:[space]:]

bigfixforum · October 1, 2020, 6:19pm

for linux it work not solris. i bet it will be same for aix/hp-ux.

Q: matches (regex "[[:space:]](\S+)\.\w*") of (lines of file "/etc/ntp.conf") whose (it contains regex "^server" )
A:  10.254.254.233
T: 1332

Q: matches (regex "[[:space:]](\S+)\.\w*") of (lines of file "/etc/inet/ntp.conf") whose (it contains regex "^server" )
T: 3749

JasonWalker · October 1, 2020, 6:31pm

I’m not sure whether the \S or \w shortcuts work either…try testing those a piece at a time and see what’s compatible with your Solaris / AIX systems.

You might be stuck with the lowest denominator of POSIX regular expressions, consisting basically of

[[:alnum:]]   Alphanumeric characters
[[:alpha:]]   Alphabetic characters
[[:blank:]]   Space and tab
[[:cntrl:]]   Control characters
[[:digit:]]   Digits
[[:graph:]]   Visible characters (anything except spaces and control characters)
[[:lower:]]   Lowercase letters
[[:print:]]   Visible characters and spaces (anything except control characters)
[[:punct:]]   Punctuation (and symbols).
[[:space:]]   All whitespace characters, including line breaks
[[:upper:]]   Uppercase letters
[[:xdigit:]]  Hexadecimal digits

bigfixforum · October 1, 2020, 7:03pm

I tried various combo of the above. none of these works in linux

Q: matches (regex "\s[:digit:]\.[:digit:]\.[:digit:]\.[:digit:]") of (lines of file "/etc/ntp.conf") whose (it contains regex "^server" )
T: 980

JasonWalker · October 1, 2020, 7:30pm

That…regex isn’t right though. It’s looking for single digits separated by dots, so “1.1.1.1” may match but “10.10.10.10” would not. Also still using \s which may not work on AIX.

I should be able to work up a sample in a few minutes. I don’t have a Solaris/AIX handy to test but I can at least get a POSIX regex that works on Windows/Linux.

JasonWalker · October 1, 2020, 8:02pm

lines of file "C:\temp\ntp.conf"

# This is a line that should not be matched because no server in it
server ntp.ops.aa-cc.org # ntp
# server bad.ntp.local #This also should not match because it is commented out
server 10.254.254.233
server 10.254.254.231 prefer iburst burst minpoll 4 maxpoll 4
server ntp.ops.aa-cc1.org # ntp
server 1.rhel.pool.ntp.org prefer iburst burst minpoll 4 maxpoll 4
server 127.127.1.0 # local clock
server 10.254.254.232 prefer iburst burst minpoll 4 maxpoll 4
server 143.165.48.29 iburst burst minpoll 4 maxpoll 4
server 1.rhel.pool.ntp.org iburst burst minpoll 4 maxpoll 4

server 2.rhel.pool.ntp.org iburst burst minpoll 4 maxpoll 4

Filter to just the “server” lines:

lines starting with "server" of file "C:\temp\ntp.conf"

server ntp.ops.aa-cc.org # ntp
server 10.254.254.233
server 10.254.254.231 prefer iburst burst minpoll 4 maxpoll 4
server ntp.ops.aa-cc1.org # ntp
server 1.rhel.pool.ntp.org prefer iburst burst minpoll 4 maxpoll 4
server 127.127.1.0 # local clock
server 10.254.254.232 prefer iburst burst minpoll 4 maxpoll 4
server 143.165.48.29 iburst burst minpoll 4 maxpoll 4
server 1.rhel.pool.ntp.org iburst burst minpoll 4 maxpoll 4
server 2.rhel.pool.ntp.org iburst burst minpoll 4 maxpoll 4

Next up, there are a couple of ways of looking at it. If we look at “everything after the spaces after ‘server’, up to a space after the name/address”, we can represent that as

Q: (parenthesized parts 1 of matches(regex("^server[[:space:]]+([^[:space:]]+)")) of it) of lines starting with "server" of file "C:\temp\ntp.conf"
A: ntp.ops.aa-cc.org
A: 10.254.254.233
A: 10.254.254.231
A: ntp.ops.aa-cc1.org
A: 1.rhel.pool.ntp.org
A: 127.127.1.0
A: 10.254.254.232
A: 143.165.48.29
A: 1.rhel.pool.ntp.org
A: 2.rhel.pool.ntp.org
T: 64.227 ms
I: plural substring

If we look it strictly as “the alphanumeric symbols, “.”, or dash/hyphens only”, we could use the expression

Q: (parenthesized parts 1 of matches(regex("^server[[:space:]]+(([[:alnum:]]|\.|-|_)+)")) of it) of lines starting with "server" of file "C:\temp\ntp.conf"
A: ntp.ops.aa-cc.org
A: 10.254.254.233
A: 10.254.254.231
A: ntp.ops.aa-cc1.org
A: 1.rhel.pool.ntp.org
A: 127.127.1.0
A: 10.254.254.232
A: 143.165.48.29
A: 1.rhel.pool.ntp.org
A: 2.rhel.pool.ntp.org
T: 63.088 ms
I: plural substring

Or we could skip the regex altogether, if we assume exactly one space after "server ". As you’ve seen, Regular Expressions depend on OS libraries, while these purely Relevance-based queries are likely to be more reliable:

q: preceding texts of firsts " " of following texts of firsts "server " of lines starting with "server" of file "C:\temp\ntp.conf"
A: ntp.ops.aa-cc.org
A: 10.254.254.231
A: ntp.ops.aa-cc1.org
A: 1.rhel.pool.ntp.org
A: 127.127.1.0
A: 10.254.254.232
A: 143.165.48.29
A: 1.rhel.pool.ntp.org
A: 2.rhel.pool.ntp.org
T: 63.101 ms
I: plural substring

Or, assuming that we want the string containing a “.” from the line, and that there’s only one such string, we can split the line up by tabs and spaces (tab is %09 )

q: (substrings separated by " " of substrings separated by "%09" of it ) whose (it contains ".") of lines starting with "server" of file "C:\temp\ntp.conf"
A: ntp.ops.aa-cc.org
A: 10.254.254.233
A: 10.254.254.231
A: ntp.ops.aa-cc1.org
A: 1.rhel.pool.ntp.org
A: 127.127.1.0
A: 10.254.254.232
A: 143.165.48.29
A: 1.rhel.pool.ntp.org
A: 2.rhel.pool.ntp.org
T: 63.498 ms
I: plural substring

edit: edited the regexen to allow multiple spaces after “server”