0

I am looking for a way to have a script check for multiple occurrences of a line but only report true if it happened say in a 5 or 10 minute interval anywhere in the file. 

#!/bin/bash 

VAR1=$(/bin/grep -i 'string match' /var/log/logfile.log | wc -l)

if [ "$VAR1" -ge 10 ]; then 
echo " String Match exceeded 10 times"
exit 2
fi

So basically, if I see 10 or more string matches that occur anywhere in the logfile as long as they all occurred within 5 minutes of each other what would I need to change or add?

FYI my logfile date format looks like this:

2016-06-01 18:58:00.307

I am not sure what that 3 digit # is appended to the end of the date.

user53029
  • 675
  • 1
  • 8
  • 23
  • Sounds like a job for `awk`. – Barmar Jun 01 '16 at 22:07
  • The 3 digit number at the end is milliseconds. – Barmar Jun 01 '16 at 22:08
  • Sounds like it, and yes, I have tried some awk statements from here: http://superuser.com/questions/439688/how-to-grep-a-log-file-within-a-specific-time-period. And here: http://stackoverflow.com/questions/7706095/find-entries-in-log-file-within-timespan-eg-the-last-hour. But I am not anywhere close to an expert on awk, and what I have tried has not produced the results I needed. – user53029 Jun 01 '16 at 22:16
  • Those questions are about looking for lines in a specific time period, not grouping lines within a time range. I'm still not sure what you expect us to do for you -- it looks like you're expecting someone to do your work for you for free. – Barmar Jun 01 '16 at 22:22
  • I expect some damn help. This is not the first place I come to when I need to find out something. I usually spend lots of time googling this stuff before any post I make, sometimes hours. I'm not asking for the code line by line but how about you provide some examples instead of just saying shit like "sounds like a job for awk". I'm not a programmer but I am pretty good at figuring stuff out if people like you would quit being asses and start pointing people in the right direction. – user53029 Jun 01 '16 at 22:37
  • You haven't asked a question for which we can give "some damn help". If you want help with your code, you have to post what you've tried, and we'll help you get it working. Absent that, all we can do is provide very broad advice like "Use awk". Just saying "I need a script that does X" and getting mad when we don't write it for you is not the way to get help. – Barmar Jun 01 '16 at 22:40
  • If you're using GNU awk, see https://www.gnu.org/software/gawk/manual/html_node/Time-Functions.html for functions to help you parse the timestamp in the log file. – Barmar Jun 01 '16 at 22:42
  • For each row, convert the time to a numeric timestamp. Use this as the key of an associative array containing the lines. – Barmar Jun 01 '16 at 22:43
  • Then as you go through the file, find all the keys that are less than 300 seconds earlier than the current line, and add the current line to them as well. – Barmar Jun 01 '16 at 22:44
  • Finally, if you get to 10 lines in a particular group, output them. – Barmar Jun 01 '16 at 22:45

0 Answers0