Viewing a specific timeframe of a log file

Hi guys

Done a bit of research online but can't seem to figure it out, is there anyway of grepping or using sed to view a specific time period of a log file.

I am trying to view a log file for Saturday 22nd April between 08:00 - 12:00

I saw this command online and tried but doesn't seem to like it:

[casupport@wycvlapph048 epagent]$ sed -n '/4/26/2017 08:00/, //4/26/2017 12:00/p' IntroscopeEPA.log
sed: -e expression #1, char 4: unknown command: `2'

I have also tried using grep

[casupport@wycvlapph048 epagent]$ grep "4/26/2017:09:30" IntroscopeEPA.log

Again nothing returned... Am I not using the correct command for this?

Cheers

The sed error is due to using an unescaped slash in the regex being interpreted as regex terminator. Try escaping it. Don't use double slashes.

The empty result of grep may be due to the exact 9:30 time not being found in the file. Try without minutes.

I'd guess you'd be better off not searching exact points in time but using e.g. awk to calculate times and use comparison operators to match ranges.

Hi RudiC

Thank you for your response

I am not quite I understand your first point, what do you mean by escaping it?

I tried removing off time for the grep but this still came back with nothing

Cheers
Alex

Basically as you are using the slash for searching sed stops at the second slash. By prefixing the slashes in between with backslahes, they won't be interpreted by sed as the end of the search pattern, but will go through as part of the pattern. That is what is meant by escaping.
Thus:

$ sed -n '/4\/26\/2017 08:00/, /4\/26\/2017 12:00/p' IntroscopeEPA.log

Personally if I'm working with slashes in my search pattern I use something else:

$ sed -n '\^4/26/2017 08:00^, \^4/26/2017 12:00^p' IntroscopeEPA.log

What I've done here is use the caret (^) as the search pattern delimiter, but you can use almost any other character. As you are using the pattern as an address you have to prefix the caret with a backslash, but if you are using the replacement command (eg sed 's^this^that^' ) sed will accept the first character after the 's' as the delimiter.

Andrew

Hi Andrew

Thank you for your responses and explanations

I tried both commands which executed without error but still nothing returns

[casupport@wycvlapph048 epagent]$ sed -n '\^4/26/2017 08:00^, \^4/26/2017 12:00^p' IntroscopeEPA.log
[casupport@wycvlapph048 epagent]$ sed -n '/4\/26\/2017 08:00/, /4\/26\/2017 12:00/p' IntroscopeEPA.log
[casupport@wycvlapph048 epagent]$

Thinking about it, are there lines with the times '08:00' and '12:00' in the log files? What happens if you use the expression

$ sed -n '\^4/26/2017 0[89]:[0-9][0-9]^p' IntroscopeEPA.log

instead?
Could you post a sample of the log file (up to 10 lines, maybe) here?

Andrew

[casupport@wycvlapph048 epagent]$ tail -10f IntroscopeEPA.log
4/26/17 12:00:57 PM BST [DEBUG] [OraclePlugin] [FAILEDTRANSACTIONS] query: SELECT STATUS, UPDATED_TIMESTAMP FROM VMS_SCHEMA.VEND_STATUS_HISTORY WHERE UPDATED_TIMESTAMP > to_timestamp('26-04-17 11.00.26.235','DD-MM-RR HH24.MI.SS.FF') AND STATUS IN (10,15,20,25,30,35,40,50,55,300,310,350,60,70,75,80,125,45,65,105,106,107,108,109,110,40,320,330,340,145,109) ORDER BY UPDATED_TIMESTAMP ASC ;
4/26/17 12:00:57 PM BST [DEBUG] [OraclePlugin] FailedTransactions polling took: 35ms
4/26/17 12:00:57 PM BST [DEBUG] [OraclePlugin] [VENDATTEMPTS] normal: 26-04-17 11.00.26.235
4/26/17 12:00:57 PM BST [DEBUG] [OraclePlugin] [VENDATTEMPTS] reference: 27-04-17 00.00.00.000
4/26/17 12:00:57 PM BST [DEBUG] [OraclePlugin] [VENDATTEMPTS] current: 26-04-17 12.00.57.101
4/26/17 12:00:57 PM BST [DEBUG] [OraclePlugin] [VENDATTEMPTS] query: SELECT SOURCE, STATUS, PAN, VENDCODE, VEND_TRANSACTION.TRANSACTION_ID, MSN, CREATED_TIMESTAMP, UPDATED_TIMESTAMP FROM VMS_SCHEMA.VEND_TRANSACTION INNER JOIN VMS_SCHEMA.VEND_STATUS_HISTORY ON VEND_TRANSACTION.TRANSACTION_ID = VEND_STATUS_HISTORY.TRANSACTION_ID WHERE UPDATED_TIMESTAMP > to_timestamp('26-04-17 11.00.26.235','DD-MM-RR HH24.MI.SS.FF') AND STATUS IN (100,10,15,20,25,30,35,40,50,55,300,310,350,60,70,75,80,125,45,65,105,106,107,108,109,110,40,320,330,340,145,109) AND CREATED_TIMESTAMP IS NOT NULL ORDER BY UPDATED_TIMESTAMP ASC ;
4/26/17 12:00:57 PM BST [DEBUG] [OraclePlugin] [VENDATTEMPTS] result counter: 10
4/26/17 12:00:57 PM BST [DEBUG] [OraclePlugin] VendAttempts polling took: 38ms
4/26/17 12:00:57 PM BST [DEBUG] [OraclePlugin] Complete polling took: 263ms
4/26/17 12:00:57 PM BST [INFO] [OraclePlugin] Run finished in 0s
4/26/17 12:00:57 PM BST [DEBUG] [OraclePlugin] Heartbeat!

There's your problem! No century. Try

$ sed -n '\^4/26/17 0[89]:[0-9][0-9]^p' IntroscopeEPA.log

instead!

Andrew

Well, 2017 in the regex doesn't really match 17 in the file. And, 12:00 is the closing regex for the range, so matching is stopped there before it even starts.

Try, with an adequate file (i.e. entries BEFORE 12:00h on that date)

sed -n '\^4/26/17 08:^, \^4/26/17 12:^p'  file

Thank you for this andrew. This worked! How would I go about changing the time. Not 100% sure on that part (how you got it too return 8/9:00.
I would like to be able to extract a time of 23:00 - 00:00

Cheers
Alex

Basically the [...] construct matches any of the characters inside the square brackets. So if you wanted to match any time from 03:00 to 06:59 inclusive the following expression will match:

0[3456]:[012345][0123456789]

but for a contiguous series of characters one would use a range:

0[3-6]:[0-5][0-9]

To match a time of 23:00-23:59 you need to change the 0[89] to 23 . However you will need a separate expression to match 00:00 as, for one thing, this will be in the following day (say the 5th instead of the 4th).

I hope that is clear.

Andrew