Parsing log file for last 2 hours

Shell Programming and Scripting
1

I want to parse a log file which i am grepping root user connection but is showing whole day and previous day detail as well.

First i want to see last 2 hours log file then after that i want to search particular string. Lets suppose right now its 5:00PM, So i want to see the log of 3:00PM to 5:00PM.

my log file is


/var/log/secure
2

Can you give more of a clue:-
1) HW if possible.
2) OS.
3) Shell type, e.g. bash.
4) A snippet of the log file in question so that we can help.
5) What have you tried so far?

1 Like
3

I am using Fedora-17 and my shell is bash shell, My log file name i already mention, i don't want anything special.

Sep 15 01:41:33 servername
Sep 15 01:46:05 servername
Sep 15 02:46:05 servername
Sep 15 02:41:33 servername
Sep 15 02:46:05 servername
Sep 15 03:46:05 servername
Sep 15 03:41:33 servername
Sep 15 03:46:05 servername
Sep 15 04:46:05 servername
Sep 15 04:41:33 servername
Sep 15 04:46:05 servername
Sep 15 04:46:05 servername
Sep 15 05:41:33 servername
Sep 15 05:46:05 servername
Sep 15 05:46:05 servername
Sep 15 05:41:33 servername
Sep 15 06:46:05 servername
Sep 15 06:46:05 servername
Sep 15 06:41:33 servername
Sep 15 06:46:05 servername
Sep 15 07:46:05 servername
Sep 15 07:41:33 servername
Sep 15 07:46:05 servername
Sep 15 08:46:05 servername

I want log of two last hours. So i want last two hours log. Current my time is 08:50 so it show log time of 6 hour and 7 hour. Below is expected output, if i run at 12:10PM so it will show log of 10:00AM and 11:00AM vice versa.

Sep 15 06:46:05 servername
Sep 15 06:46:05 servername
Sep 15 06:41:33 servername
Sep 15 06:46:05 servername
Sep 15 07:46:05 servername
Sep 15 07:41:33 servername
Sep 15 07:46:05 servername
4

You did not mention what you have tried so far, which should become a good habit so you can improve yourself.

But, as this task is soooo easy, here we go:

grep -E "Sep 15 (06|07)" file
Sep 15 06:46:05 servername
Sep 15 06:46:05 servername
Sep 15 06:41:33 servername
Sep 15 06:46:05 servername
Sep 15 07:46:05 servername
Sep 15 07:41:33 servername
Sep 15 07:46:05 servername
5

Hi,
You can do it (in concept):
input file example:

$ cat file1.log
Sep 15 01:41:33 servername
Sep 15 01:46:05 servername
Sep 15 02:46:05 servername
Sep 15 02:41:33 servername
Sep 15 02:46:05 servername
Sep 15 03:46:05 servername
Sep 15 03:41:33 servername
Sep 15 03:46:05 servername
Sep 15 04:46:05 servername
Sep 15 04:41:33 servername
Sep 15 04:46:05 servername
Sep 15 04:46:05 servername
Sep 15 05:41:33 servername
Sep 15 05:46:05 servername
Sep 15 05:46:05 servername
Sep 15 05:41:33 servername
Sep 15 06:46:05 servername
Sep 15 06:46:05 servername
Sep 15 16:41:33 servername
Sep 15 16:46:05 servername
Sep 15 17:46:05 servername
Sep 15 17:41:33 servername
Sep 15 17:46:05 servername
Sep 15 18:46:05 servername
Sep 15 18:41:33 servername
Sep 15 18:46:05 servername
Sep 15 18:46:05 servername
Sep 15 18:41:33 servername
Sep 15 19:46:05 servername
Sep 15 19:46:05 servername

Date and hour of test:

$ LANG=C date
Sun Sep 15 19:28:13 CEST 2013

All lines 2 hours ago full to end file:

$ sed -n "/^$(LANG=C date --date='2 hours ago' '+%b %d %H:')/,\$p" file1.log
Sep 15 17:46:05 servername
Sep 15 17:41:33 servername
Sep 15 17:46:05 servername
Sep 15 18:46:05 servername
Sep 15 18:41:33 servername
Sep 15 18:46:05 servername
Sep 15 18:46:05 servername
Sep 15 18:41:33 servername
Sep 15 19:46:05 servername
Sep 15 19:46:05 servername

Or, all lines 2 hours ago full only (in this example: 17 and 18 but no 19):

$ sed -n "/^$(LANG=C date --date='2 hours ago' '+%b %d %H:')\\|^$(LANG=C date --date='1 hours ago' '+%b %d %H:')/p" file1.log
Sep 15 17:46:05 servername
Sep 15 17:41:33 servername
Sep 15 17:46:05 servername
Sep 15 18:46:05 servername
Sep 15 18:41:33 servername
Sep 15 18:46:05 servername
Sep 15 18:46:05 servername
Sep 15 18:41:33 servername

PS: I use LANG=C because my computer configuration is french...

Regards.

1 Like
6

Actually i modified the script and checking five hours log, but it is not working, below i have tried.

sed -n "/^$(date --date='5 hours ago' '+%b %d %H:')\\|^$(date --date='1 hours ago' '+%b %d %H:')/p" /var/log/secure
7

It's normal, this solution work fine for two contiguous time slots.
A solution:

 sed -n "/^$(date --date='5 hours ago' '+%b %d %H:')/,\${/^$(date --date='0 hours ago' '+%b %d %H:')/q;p}" /var/log/secure

But here, you must do -1 to second hour field.

Regards.