Finding errors in log file only in last 10 minutes

paul_vf · September 12, 2011, 7:57am

Hi there,

I have a log file that I need to check every 10 minutes to find if a specific error exists but only in that 10 minute period. The reason is that the log is quite large, and will frequently contain these errors, so I only want alerting if it in the last 10 minutes - I don't want continually to be alerted for the rest of the day once this error happens.

I'm ok with all the alerting aspects, and setting up a cronjob to run every 10 mins, and mail me if the alert is triggered, the problem I am having is just identifying if this error exists in the last 10 minutes of the log file.

I've had a look through the forum, and can see similar posts, but none of them seem to work for me. I think I need to use awk to check if the datetime in the log is greater than 10 minutes ago, this is my sticking point.

I know I can get the time of 10 minutes ago by doing this...

date=`date --date='10 minutes ago' "+%Y-%m-%d %H:%M:%S"`

and my logfile with it's errors looks like this (The timestamps are exact, but I've amended the actual error though...)

12-09-2011 11:58:43 ERROR: Application_name - some other error
12-09-2011 11:58:43 ERROR: Application_name - some other error
12-09-2011 12:03:03 ERROR: Application_name - error I'm looking for
12-09-2011 12:03:03 ERROR: Application_name - some other error
12-09-2011 12:05:16 ERROR: Application_name - some other error
12-09-2011 12:14:22 ERROR: Application_name - error I'm looking for
12-09-2011 12:14:22 ERROR: Application_name - some other error
12-09-2011 12:15:08 ERROR: Application_name - some other error
12-09-2011 12:15:08 ERROR: Application_name - some other error

I'm ok with things like awk and grep to find the error, it's just coming up with an awk command to find the error in the last 10 minutes I'm struggling with. I thought it was just a matter of getting the current time - 10 mins into a variable, then comparin that with awk but the things I've tried either return everything or nothing.

I'm reletively new to shell scripting, and this is my first post (so apologies if I've done anything stupid!)

Thanks in advance,
Paul B

yazu · September 12, 2011, 8:23am

Try something like this;

tac INPUTFILE | awk -v fin=120400 '{
  t=$2
  gsub(/:/, "", t)
  if (t < fin) exit 
  if ($0 ~ /error I'"'"'m looking for/) print
}'

paul_vf · September 12, 2011, 8:43am

Hi,

This is good, and does do what I'm after, thanks very much

However, I was just wondering, how would I change it to print *all* the errors that have happened in the last 10 minutes? The above (if I understand it correctly) will just return the most recent line which is true. (This is fine though, as it will work for my alerting - it'd just be also handy if I knew how many times this error has occurred in the last 10 mins).

Thanks again,
Paul B

---------- Post updated at 01:43 PM ---------- Previous update was at 01:35 PM ----------

Sorry, I think I'm being stupid, that is already what this does, I just appeared to run it on a log file that only had one error in the last 10 minutes...

Sorry!

Thanks again for the help.

Paul B

yazu · September 12, 2011, 8:43am

Ok. Deleted.