listing processes older than n days

delphys · February 8, 2012, 11:30am

Hello; trying to find processes older than n days, mostly user shells Tried the following code on 11.31 box: in this case older than 5 days

UNIX95= ps -ef -o user,pid,ppid,cpu,etime,stime | grep "-" | awk '{print $2}' | xargs ps -ef|grep -v '?' |\
awk '$5 !~ "[0-9][0-9]"' | awk '($5 ~ "$(date "+%b")") && ($6 <= "$(echo $(date "+%e") - 5 | bc)")'

but is erroring out with:

 syntax error The source line is 1.
 The error context is
                ($5 ~ "$(date >>>  "+% <<< b")") && ($6 <= "$(echo $(date "+%e") - 5 | bc)")
        awk: There is an extra ) character.
 awk: Quitting
 The source line is 1.

Anyone has other/better ideas ??

Thank you

Skrynesaver · February 8, 2012, 11:59am

ps -ef  | perl -MDate::Calc -e 'while(<>){print "$1\t:\t$2\n" if ((/^\s+\w+\s+(\d+)\s+\d+\s+\d+\s+(\w{3}\s+\d+|20\d+|\d{2}:\d{2}:\d{2})/)&&(more_recent($2,3)))}'

writing the more_recent routine is left as a rather complex exercise The regex above will capture the following time stamp styles in $2
16:45:00
Feb 08
2011
Your more_recent routine would have to deal with that (The first is obviously today's the last obviously later so only the middle style requires the use of the Date::Calc module.

delphys · February 8, 2012, 12:27pm

Skrynesaver1:

ps -ef  | perl -MDate::Calc -e 'while(<>){print "$1\t:\t$2\n" if ((/^\s+\w+\s+(\d+)\s+\d+\s+\d+\s+(\w{3}\s+\d+|20\d+|\d{2}:\d{2}:\d{2})/)&&(more_recent($2,3)))}'
writing the more_recent routine is left as a rather complex exercise The regex above will capture the following time stamp styles in $2
16:45:00
Feb 08
2011
Your more_recent routine would have to deal with that (The first is obviously today's the last obviously later so only the middle style requires the use of the Date::Calc module.

Thank you .. just starting to learn Perl so not sure what you are refering to ..

methyl · February 8, 2012, 1:07pm

Another approach (skeleton). Start with "UNIX95= ps -af" to eliminate most of the system processes, then eliminate anything dated today and positively select lines containing a hyphen (which comes from changed format of "etime" greater than one day).
One side effect is that this pick up "defunct" processes (which display in the old "ps" as uid -3), but they might be interesting anyway.
Avoided outputting the "args" option because it could contain hyphens.

MMMDD=`date +'%b %e'`
UNIX95= ps -af -o user,pid,ppid,cpu,etime,stime| \
                grep -v "PID"| grep -v "${MMMDD}" | grep "\-"

If you need to output the process line in new "ps" format then we can extend the pipeline to pick up the PID ($2) and feed it to "ps -fp<pid>", eliminate "defunct", and then feed the list to a less-complicated "awk" because all the dates will be in the same format. No need to do "ps -ef" for every individual process.

Afterthought: The UNIX95 "ps" etime field contains the number of days old. This might be simple.

delphys · February 8, 2012, 2:33pm

methyl:

Another approach (skeleton). Start with "UNIX95= ps -af" to eliminate most of the system processes, then eliminate anything dated today and positively select lines containing a hyphen (which comes from changed format of "etime" greater than one day).
One side effect is that this pick up "defunct" processes (which display in the old "ps" as uid -3), but they might be interesting anyway.
Avoided outputting the "args" option because it could contain hyphens.
MMMDD=`date +'%b %e'`
UNIX95= ps -af -o user,pid,ppid,cpu,etime,stime| \
   grep -v "PID"| grep -v "${MMMDD}" | grep "\-" 
If you need to output the process line in new "ps" format then we can extend the pipeline to pick up the PID ($2) and feed it to "ps -fp<pid>", eliminate "defunct", and then feed the list to a less-complicated "awk" because all the dates will be in the same format. No need to do "ps -ef" for every individual process.

Afterthought: The UNIX95 "ps" etime field contains the number of days old. This might be simple.

Thank you very much !!

Finally got it working.. added following filters for user procs older 5 days in this case.

UNIX95= ps -af -o user,pid,ppid,cpu,etime,stime| grep "\-" | awk '$5 >= "5"' |\
awk '{print "ps -fp "$2}'|sh | awk '( NR ==1 ) || ( NR > 1 && $1 !~ "UID")'

methyl · February 8, 2012, 5:02pm

@delphys
I'm no awk expert but this has inspired me to learn. If awk can take the leading numeric character(s) of a complex alphanumeric string (like the format of "etime" from a Berkeley "ps") into a numeric comparison awk '$5 >= "5"' that is really useful.
Personally I'd would have had to extract the leading numbers (i.e. the number of idle days) and used a Shell integer comparison.

agama · February 8, 2012, 6:42pm

delphys:

Thank you very much !!

Finally got it working.. added following filters for user procs older 5 days in this case.
UNIX95= ps -af -o user,pid,ppid,cpu,etime,stime| grep "\-" | awk '$5 >= "5"' |\
awk '{print "ps -fp "$2}'|sh | awk '( NR ==1 ) || ( NR > 1 && $1 !~ "UID")'

I would have coded the check for greater than 5 days differently. At least with the version of awk I've got installed in various places, your code doesn't work. Here is the output using your ps command from one of my boxes:

ps af -o user,pid,ppid,cpu,etime,stime 
USER       PID  PPID CPU     ELAPSED STIME
scooter  20422 20420   -  9-21:01:26 Jan29
scooter  11297 11295   -  1-19:58:34 Feb06
scooter   8004  8002   -  1-21:44:42 Feb06
scooter   8028  8004   -  1-21:44:35 Feb06
scooter   6832  6830   - 12-19:32:12 Jan26
scooter  15635  6832   -       00:00 18:24
scooter   4507  4505   - 12-20:29:18 Jan26
scooter   4420  4406   - 12-20:30:07 Jan26
scooter   5802  4245   -  2-18:54:15 Feb05
root      4061  4058   - 12-20:31:53 Jan26
scooter  13648     1   -  1-18:39:33 Feb06
scooter  19532 13648   -    18:18:29 00:05
scooter  19533 13648   -    18:18:29 00:05
scooter   4468     1   - 12-20:29:49 Jan26
scooter   4469  4468   - 12-20:29:49 Jan26
scooter   4467     1   - 12-20:29:50 Jan26
scooter   4441     1   - 12-20:29:50 Jan26
scooter   4452  4441   - 12-20:29:50 Jan26
scooter   4453  4441   - 12-20:29:50 Jan26
scooter   4440     1   - 12-20:29:50 Jan26
scooter   4439     1   - 12-20:29:50 Jan26
root      4240     1   - 12-20:31:50 Jan26
root      4233     1   - 12-20:31:50 Jan26
root      4229     1   - 12-20:31:50 Jan26
root      4227     1   - 12-20:31:50 Jan26
root      4225     1   - 12-20:31:50 Jan26

When I pipe that through your awk ( $5 > "5" ) the output is this:

USER       PID  PPID CPU     ELAPSED STIME
scooter  20422 20420   -  9-21:03:52 Jan29

which as far as I can tell is wrong. It should have listed all of the processes that are shown as being 12 days old in addition to the one that it did list.

The problem is that you are doing string comparison, instead of doing numeric comparison and a string which begins with a '1' is less than a string that begins with a '5'.

I make a habit of always 'casting' fields to force them to be numeric before doing any kind of numeric comparison with them. I've been bitten countless times by forgetting this. To fix the problem, change your awk:

awk ' $5+0 > 5'

Notice that there are no quotes round the 5, and that +0 causes the fifth field to be converted to integer before doing the comparison. A string like
12-20:31:50 becomes an integer 12 when 0 is added to it, and the comparison yields the expected result. With the changes:

ps af -o user,pid,ppid,cpu,etime,stime| grep -- "[0-9]-[0-9]"|awk '$5+0 > 5' 
scooter  20422 20420   -  9-21:11:53 Jan29
scooter   6832  6830   - 12-19:42:39 Jan26
scooter   4507  4505   - 12-20:39:45 Jan26
scooter   4420  4406   - 12-20:40:34 Jan26
root      4061  4058   - 12-20:42:20 Jan26
scooter   4468     1   - 12-20:40:16 Jan26
scooter   4469  4468   - 12-20:40:16 Jan26
scooter   4467     1   - 12-20:40:17 Jan26
scooter   4441     1   - 12-20:40:17 Jan26
scooter   4452  4441   - 12-20:40:17 Jan26
scooter   4453  4441   - 12-20:40:17 Jan26
scooter   4440     1   - 12-20:40:17 Jan26
scooter   4439     1   - 12-20:40:17 Jan26
root      4240     1   - 12-20:42:17 Jan26
root      4233     1   - 12-20:42:17 Jan26
root      4229     1   - 12-20:42:17 Jan26
root      4227     1   - 12-20:42:17 Jan26
root      4225     1   - 12-20:42:17 Jan26

You should also notice the change to the grep that avoids picking up a record for a process active less than 24 hours (it matched the dash in the cpu column, and the change forces it to match a dash only between two numbers as would appear in the date column.) You can also eliminate the grep completely:

ps af -o user,pid,ppid,cpu,etime,stime| awk ' $5 ~/[0-9]-[0-9]/ && $5+0 > 5'