从日志文件底部开始搜索两个时间戳之间的字符串

时间:2014-06-06 11:47:22

标签: bash shell search sed grep

我试图在文件out.log中从下到上搜索字符串'Cannot proceed: the database is empty'(因为日志文件非常庞大,而且每天只在最后添加日志)在昨天的时间戳10:30下午到凌晨00:30凌晨。

从out.log中提取如下: 

[Thu Jun  5 07:56:17 2014]Local/data///47480280486528/Info(1019022)
Writing Database Mapping For [data]

[Thu Jun  5 07:56:18 2014]Local/data///47480280486528/Info(1250008)
Setting Outline Paging Cachesize To [8192KB]

[Thu Jun  5 07:56:18 2014]Local/data///47480280486528/Info(1013202)
Cannot proceed: the database is empty 

[Thu Jun  5 07:56:20 2014]Local/data///47480280486528/Info(1013205)
Received Command [Load Database]

[Thu Jun  5 07:56:21 2014]Local/data///47480280486528/Info(1019018)
Writing Parameters For Database

我在google和SO上搜索并探索了sedgrep之类的命令,但遗憾的是grep似乎没有解析时间戳,sed打印了两个之间的所有行图案。

任何人都可以告诉我如何实现这一目标吗?

2 个答案:

答案 0 :(得分:3)

您可以在awk中使用日期比较:

tac file | awk '/Cannot proceed: the database is empty/ {f=$0; next} f{if (($3==5 && $4>"22:30:00") || ($4==6 && $4<="00:30:00")) {print; print f} f=""}'

测试

对于此给定文件:

$ cat a
[Thu Jun  5 07:56:17 2014]Local/data///47480280486528/Info(1019022)
Writing Database Mapping For [data]

[Thu Jun  5 07:56:18 2014]Local/data///47480280486528/Info(1250008)
Setting Outline Paging Cachesize To [8192KB]

[Thu Jun  5 07:56:18 2014]Local/data///47480280486528/Info(1013202)
Cannot proceed: the database is empty 

[Thu Jun  5 07:56:20 2014]Local/data///47480280486528/Info(1013205)
Received Command [Load Database]

[Thu Jun  5 07:56:21 2014]Local/data///47480280486528/Info(1019018)
Writing Parameters For Database 

[Thu Jun  5 23:56:20 2014]Local/data///47480280486528/Info(1013205)
Writing Parameters For Database 

[Thu Jun  5 23:56:20 2014]Local/data///47480280486528/Info(1013205)
Cannot proceed: the database is empty 

[Thu Jun  5 22:56:21 2014]Local/data///47480280486528/Info(1019018)
Cannot proceed: the database is empty

它返回:

$ tac a | awk '/Cannot proceed: the database is empty/ {f=$0; next} f{if (($3==5 && $4>"22:30:00") || ($4==6 && $4<="00:30:00")) {print; print f} f=""}'
[Thu Jun  5 22:56:21 2014]Local/data///47480280486528/Info(1019018)
Cannot proceed: the database is empty 
[Thu Jun  5 23:56:20 2014]Local/data///47480280486528/Info(1013205)
Cannot proceed: the database is empty

答案 1 :(得分:2)

你可以得到这个:

awk '/Cannot proceed: the database is empty/{ts = last; msg = $0; next}; {last = $0}; END{if (ts) printf "%s\n%s\n", ts, msg}' log

输出:

[Thu Jun  5 07:56:18 2014]Local/data///47480280486528/Info(1013202)
Cannot proceed: the database is empty

根据实际需要的部分来改进代码应该很容易。

相关问题
最新问题