Menu

Check_log3.pl looking back in log file X number of lines or X number of minutes

Matt
2014-04-15
2014-04-16
  • Matt

    Matt - 2014-04-15

    Is there a way you can tell the script to only look at the last X number of lines or X number of minutes when looking for the pattern to match?

     
  • Peter Mc Aulay

    Peter Mc Aulay - 2014-04-16

    Not as such, though you could extract the last X lines from the log to a temp file and process that.

    tail -100 /var/log/messages > tmp.log && check_log3.pl -l tmp.log -s /dev/null -p pattern ...

    For the last X minutes, assuming you are using a seek file and the log has been read before this is the default behaviour (just set the check interval to X minutes). If you want the script to interpret timestamps in the log itself, that is possible but you need the custom eval parser feature.

    E.g. you only ever want to check data from the the last 5 minutes (300 seconds), no matter when the check is run:

    check_log3.pl -l logfile -p pattern -e '{ use Date::Parse; my $time = substr($_, 0, 16); my $ts = str2time($time); return 1 if time - $ts < 300; }' ...

    This eval block will only evaluate to true if both the pattern is found AND the timestamp (taken from the first 16 characters in the log) is less than 300 seconds ago. The script will in fact still read the log from the last seek position, but any matches which don't fit the timestamp criteria will not be counted.

     

Log in to post a comment.