0

Column $3 and $4 in my log file have a date timestamp and I want to use sed or a similar command to edit the file in place to remove records older than 24 hours.

2015-07-29 04:30:12
2015-07-29 04:30:21
2015-07-29 04:30:21
2015-07-29 04:30:21
2015-07-29 04:31:42

I use something like this successfully to search for records between dates.

LAST24HR=$(date "+%Y-%m-%d %H:%M:%S" -d "-24 hour")
NOW=$(date "+%Y-%m-%d %H:%M:%S")

awk '$3" "$4>=from&&$3" "$4<=to' from="$LAST24HR" to="$NOW"

Is there a way I can remove lines in place from the file in a similar manner?

Songy
  • 851
  • 4
  • 17
user1999357
  • 113
  • 1
  • 2
  • 11
  • 2
    sed is not the best tools in this case because is has few comparaison function (compare to other). I advice, in this case to use awk instead – NeronLeVelu Jul 29 '15 at 12:32
  • possible duplicate of [awk save modifications inplace](http://stackoverflow.com/questions/16529716/awk-save-modifications-inplace) – buff Jul 29 '15 at 12:50
  • seems to be, thanks to the community for linking back to the gawk in place editing. I was able to get that installed and testing it out in our scenario here. thanks! – user1999357 Jul 30 '15 at 09:58

1 Answers1

2
awk -v "DateRef=$( date "+%Y-%m-%d %H:%M:%S" -d "-24 hour" )" '( $3 " " $4 ) >= DateRef { print }'
  • only print record that are in scope
  • for the "in place", if using awk enter link description here or use redirection and temporary file.

I assume your 'record older than 24 hour' but not fully the 'between date' because you take the current date as reference i i don't suspect there is an entry newer.

NeronLeVelu
  • 9,908
  • 1
  • 23
  • 43
  • 1
    nice! Note you probably can skip the `{print}` part, since a condition evaluated as true triggers awk's default action: `{print $0}`, that is, to print the current line. – fedorqui Jul 29 '15 at 12:52
  • 1
    check the variable name - it's `DaRef` when set and `DateRef` when tested. Are you sure string concatenation takes precedence over comparison? I'd write the test as `($3 " " $4) >= DateRef` to make it explicit - helps the clarity even if it isn't necessary. I have a hard time reading and understanding why `"var=val"` is preferable over `var="val"` but maybe it's just me. – Ed Morton Jul 29 '15 at 14:05
  • thanks for the feedback! the gawk In place editing is what I was looking for, thanks for providing the link back to that article. We're testing that compile of gawk now with our workflow scenario. Appreciate it! – user1999357 Jul 30 '15 at 09:59