extract last 10 minutes from logfile [duplicate]

问题:

This question already has an answer here:

• Filter log file entries based on date range 3 answers

Trying to find a simple way for watching for recent events (from less than 10 minutes), I've tried this:

awk "/^$(date --date="-10 min" "+%b %_d %H:%M")/{p++} p" /root/test.txt

but it doesn't work as expected...

Log files are in form :

Dec 18 09:48:54 Blah Dec 18 09:54:47 blah bla Dec 18 09:55:33 sds Dec 18 09:55:38 sds Dec 18 09:57:58 sa Dec 18 09:58:10 And so on...

回答1:

You can match the date range using simple string comparison, for example:

d1=$(date --date="-10 min" "+%b %_d %H:%M") d2=$(date "+%b %_d %H:%M") while read line; do     [[ $line > $d1 && $line < $d2 || $line =~ $d2 ]] && echo $line done

For example if d1='Dec 18 10:19' and d2='Dec 18 10:27' then the output will be:

Dec 18 10:19:16 Dec 18 10:19:23 Dec 18 10:21:03 Dec 18 10:22:54 Dec 18 10:27:32

Or using awk if you wish:

awk -v d1="$d1" -v d2="$d2" '$0 > d1 && $0 < d2 || $0 ~ d2'

回答2:

Here is nice tool range is any you wish from -10 till now

sed -n "/^$(date --date='10 minutes ago' '+%b %_d %H:%M')/,\$p" /var/log/blaaaa

回答3:

That's a (common) job for perl!:

Simple and efficient:

perl -MDate::Parse -ne 'print if/^(.{15})\s/&&str2time($1)>time-600' /path/log

This version print last 10 minutes event, upto now, by using time function.

You could test this with:

sudo cat /var/log/syslog |   perl -MDate::Parse -ne '     print if /^(\S+\s+\d+\s+\d+:\d+:\d+)\s/ && str2time($1) > time-600'

Note that first representation use only firsts 15 chars from each lines, while second construct use more detailed regexp.

As a perl script: last10m.pl

#!/usr/bin/perl -wn  use strict; use Date::Parse; print if /^(\S+\s+\d+\s+\d+:\d+:\d+)\s/ && str2time($1) > time-600

Strictly: extract last 10 minutes from logfile

Meaning not relative to current time, but to last entry in logfile:

There is two way for retrieving end of period:

date -r logfile +%s tail -n1 logfile | perl -MDate::Parse -nE 'say str2time($1) if /^(.{15})/'

Where logically, last modification time of the logfile must be the time of the last entry.

So the command could become:

perl -MDate::Parse -ne 'print if/^(.{15})\s/&&str2time($1)>'$(     date -r logfile +%s)

or you could take the last entry as reference:

perl -MDate::Parse -E 'open IN,"<".$ARGV[0];seek IN,-200,2;while () {     $ref=str2time($1) if /^(\S+\s+\d+\s+\d+:\d+:\d+)/;};seek IN,0,0;     while () {print if /^(.{15})\s/&&str2time($1)>$ref-600}' logfile

Second version seem stronger, but access to file only once.

As a perl script, this could look like:

#!/usr/bin/perl -w  use strict; use Date::Parse; my $ref;                 # The only variable I will use in this.  open IN,"<".$ARGV[0];    # Open (READ) file submited as 1st argument seek IN,-200,2;