I have log in following format
2018-11-11 06:02:32 1gLkhU-002yf9-3G <= email@domain.com H=(netserver.br - 2.15.2.2 -) [127.0.0.1]:48270 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=dovecot_plain:my@dom.com S=3209 T="test" for my@gmail.com
I need to extract from the row example above only this and exactly in this format
email@domain.com my@dom.com
note: the dovecot_plain: sometime could be only a username (not a full email)
I am using this
grep "dovecot_plain:" /var/log/exim_mainlog | egrep -a -E -io " [A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4} | A=dovecot_plain:[A-Z0-9.@_%+-]{1,100}"
but it's not working as I need, because it's returning this
email@domain.com
A=dovecot_plain:my@dom.com
in two separate rows ...
Any idea how to extract exactly in this format ?
email@domain.com my@dom.com
p.s. also I need to extract this data only for latest 6 hours in EXIM log, do you think it's possible ?
Thank you
awk to the rescue
grep "dovecot_plain:" /var/log/exim_mainlog | awk 'BEGIN{min_timestamp=systime() - 6*60*60}{datetime=$1 " " $2; gsub(/-|:/," ", datetime); timestamp=mktime(datetime)}timestamp>=min_timestamp{split($14,s,":"); print $5, s[2]}'
Returns
email@domain.com my@dom.com
Only if log time >= systime - 6 hours
Edit
Pure awk solution as suggested by @tripleee
awk 'BEGIN{min_timestamp=systime() - 6*60*60}/dovecot_plain:/{datetime=$1 " " $2; gsub(/-|:/," ", datetime); timestamp=mktime(datetime) ; if(timestamp>=min_timestamp){split($14,s,":"); print $5, s[2]}}' /var/log/exim_mainlog