#!/usr/bin/perl # Filter alarms for EVAL # Copyright (C) 2002, Matt Mahoney. This program is distributed # without warranty under terms of the GNU general public license. # See http://www.gnu.org/licenses/gpl.txt # Remove alarms scoring below the highest for any IP during 1 minute period while (<>) { if (/.........(\d\d\/\d\d\/\d\d\d\d \d\d:\d\d):\d\d (\d\d\d\.\d\d\d\.\d\d\d\.\d\d\d) (\d.\d\d\d\d\d\d) .*/) { $i="$1$2"; if ($3 > $t{$i}) { $t{$i}=$3; $s{$i}=$_; } } } # Sort by decreasing score and print only the highest 4000 alarms foreach(keys(%s)) {push(@c, $s{$_});} @c=sort({substr($b,45) cmp substr($a,45);} @c); print splice(@c, 0, 4000);