Hi,
I want to see only last 30 minutes of log file, discard previous logs, only show latest 30 minutes log file. How it could possible.
Hi,
I want to see only last 30 minutes of log file, discard previous logs, only show latest 30 minutes log file. How it could possible.
Which logs? The specific format probably matters. I'm guessing awk will figure in the answer.
You can use the tail command to display the last n lines:
I don't know of a clean way to do it by time. You would have to write a script that parses the file and picks out the end time and computes 30 minutes previous then display that point forwards. This would not be trivial because each log file has a slightly different format.Code:tail -100 /var/log/syslog
An easier, but clumsy method would be to make a distinctive log entry (or the log that you are interested in) every 1/2 hour then use grep/sed/awk to find that mark and display the file from the last mark to the end. Set up the script in a cronjob to run every 1/2 hour to add the mark.
For example, syslogd puts a mark every 20 minutes, just to show that a system is still alive and running:
-m interval
The syslogd logs a mark timestamp regularly. The default interval between two -- MARK -- lines is 20 minutes. This can be changed with this option.
Setting the interval to zero turns it off entirely. Depending on other log messages generated these lines may not be written consecutively.
In /var/log/messages:
Oct 1 08:32:38 tpad-Gloria7 syslogd 1.5.0#5ubuntu3: restart.
Oct 1 09:02:28 tpad-Gloria7 -- MARK --
Oct 1 09:22:28 tpad-Gloria7 -- MARK --
This is helpful if your name is Mark, otherwise it is less useful if your name is Tim, or Bob, or Jim.
Last edited by tgalati4; October 1st, 2013 at 05:35 PM.
-------------------------------------
Oooh Shiny: PopularPages
Unumquodque potest reparantur. Patientia sit virtus.
i want to check /var/log/messages for only last 30 minutes, wants to discard previous log. I also tried below command but no luck
Code:sed -n "/^$(date --date='30 minutes ago' '+%b %d %H:')\\|^$(date --date='0 minutes ago' '+%b %d %H:')/p" logfileCode:Oct 1 19:20:18 server1 kernel: [ 4187.150615] sd 6:0:0:0: [sdb] Assuming drive cache: write through Oct 1 19:21:10 server1 kernel: [ 4238.860148] sd 6:0:0:0: [sdb] Test WP failed, assume Write Enabled Oct 1 19:21:10 server1 kernel: [ 4238.862415] sd 6:0:0:0: [sdb] Asking for cache data failed Oct 1 19:21:10 server1 kernel: [ 4238.862421] sd 6:0:0:0: [sdb] Assuming drive cache: write through Oct 1 19:22:02 server1 kernel: [ 4290.572145] sd 6:0:0:0: [sdb] Test WP failed, assume Write Enabled Oct 1 19:22:02 server1 kernel: [ 4290.574250] sd 6:0:0:0: [sdb] Asking for cache data failed Oct 1 19:22:02 server1 kernel: [ 4290.574256] sd 6:0:0:0: [sdb] Assuming drive cache: write through Oct 1 19:22:54 server1 kernel: [ 4342.284094] sd 6:0:0:0: [sdb] Test WP failed, assume Write Enabled Oct 1 19:22:54 server1 kernel: [ 4342.286210] sd 6:0:0:0: [sdb] Asking for cache data failed Oct 1 19:22:54 server1 kernel: [ 4342.286216] sd 6:0:0:0: [sdb] Assuming drive cache: write through
Ok. Here's a guess at syslog.
We use -v to set a variable in awk before we start based on the output of "date". From there it's just a simple comparison of the 3rd field/column.Code:awk -v date=$(date -d "30 minutes ago" +"%T") '$3 >= date { print $0 }' /var/log/syslog
It is showing log from 29 september till now.
It gets tricky as the time rolls over at midnight.
What about below command, can you please advise, it is also not working
Code:sed -n "/^$(date --date='30 minutes ago' '+%b %d %H:')\\|^$(date --date='0 minutes ago' '+%b %d %H:')/p" /var/log/syslog
Last edited by learnbash; October 1st, 2013 at 06:04 PM.
sed won't really do it, I think. It would have to be something more complex. I initially though awk, but with the problem of the clock rolling over at midnight and syslog not using numeric months, the solution is probably a small perl script. The module Date::Calc does proper time differences.
so can you help me in that @perl
Bookmarks