How to get the last N minutes of log messages

Question

My logs are in this format:

[2018-01-22T13:40:22,825][WARN ] message
[2018-01-22T13:41:52,830][ERROR ] message
[2018-01-22T13:45:27,831][WARN ] message

I need to write a script that will check to see if there have been any errors in the last 5 minutes. From what I've found online, something like this should work:

awk -v d1="$(date --date="-5 min" "+%Y-%m-%dT%H:%M:%S")" -v d2="$(date "+%Y-%m-%dT%H:%M:%S")" '$0 > d1 && $0 < d2 || $0 ~ d2' log.txt

But it doesn't. I think that the [ is getting in the way maybe? What else can I try?

Answer 1

Awk solution:

Sample log.txt:

[2018-01-22T13:40:22,825][WARN ] message
[2018-01-23T00:38:37,830][ERROR ] message
[2018-01-22T13:45:27,831][WARN ] message

---

awk -v d1="$(date --date="-5 min" "+%Y-%m-%dT%H:%M:%S")" \
    -v d2="$(date "+%Y-%m-%dT%H:%M:%S")" \
    '$2 > d1 && $2 < d2 && $4~/ERROR/' FS='[\\[\\]]' log.txt

• FS='[\\[\\]]' - treat square brackets as complex field separator

The output:

[2018-01-23T00:38:37,830][ERROR ] message

Answer 2

You're right, [ is getting in the way.

The lexicographical compare, $0 > d1, compares something like:

[2018-01-22T13:45:27,831][WARN ] message

with

2018-01-22T13:45:27

and [... is always greater than any string starting with a number, e.g. 20...

Similarly for $0 < d2 -- but in this case the condition is never satisfied ([20.. is always greater than 20..). That's why you're not getting any output.

A quick'n'dirty fix is to simply format d1 and d2 to start with [:

awk -v d1="$(date --date="-5 min" "+[%Y-%m-%dT%H:%M:%S")" -v d2="$(date "+[%Y-%m-%dT%H:%M:%S")" '$0 > d1 && $0 < d2' log