我们发现了一些与感染有关的域名.现在我们在.json文件中有一个DNS名称列表,我想生成一个汇总输出,显示:用户列表,他们访问的唯一域,总计数.如果我也可以计算每个域名的奖励积分.
以下是该文件的示例:
{"machine": "possible_victim01","domain": "evil.com","timestamp":1435071870}
{"machine": "possible_victim01","timestamp":1435071875}
{"machine": "possible_victim01","domain": "soevil.com","timestamp":1435071877}
{"machine": "possible_victim02","domain": "bad.com","timestamp":1435071877}
{"machine": "possible_victim03","timestamp":1435071879}
理想情况下,我希望输出类似于:
{"possible_victim01": "total": 3,{"evil.com": 2,"soevil.com": 1}}
{"possible_victim02": "total": 1,{"bad.com": 1}}
{"possible_victim03": "total": 1,{"soevil.com": 1}}
我很乐意接受:
{"possible_victim01": "total": 3,["evil.com","soevil.com"]}
{"possible_victim02": "total": 1,["bad.com"]}
{"possible_victim03": "total": 1,["soevil.com"]}
我可以获得每个用户的总记录数,但是我丢失了域名列表:
cat sample.json | jq -s 'group_by(.machine) | map({machine:.[0].machine,domain:.[0].domain,count:length}) '
[{"machine": "possible_victim01","count": 3},{"machine": "possible_victim02","count": 1},{"machine": "possible_victim03","count": 1}]
这篇文章描述了如何解决问题的后半部分… JQ Aggregations and Crosstabs.我还没有找到任何描述上半部分的内容,进入:
{"machine": "possible_victim01","count":2}
{"machine": "possible_victim01","count":1}
{"machine": "possible_victim02","count":1}
{"machine": "possible_victim03","count":1}
解决方法
您需要执行两次group_by,一次按计算机名进行分组,然后进行子分组以获取每个域的子计数.
jq查询:
group_by(.machine) | map({
"machine": .[0].machine,"total":length,"domains": (group_by(.domain) | map({
"key":.[0].domain,"value":length}) | from_entries
)
})
示例输出:
{
"machine": "possible_victim01","total": 3,"domains": {
"evil.com": 2,"soevil.com": 1
}
}
{
"machine": "possible_victim02","total": 1,"domains": {
"bad.com": 1
}
}
{
"machine": "possible_victim03","domains": {
"soevil.com": 1
}
}
