Re: Help grepping last 5 minutes of syslog

[Joseph]

"Colin S. Miller" <colin.miller@spam-me-not.picsel.com> wrote in message 
news:<7cp9ic.91f.ln@195.171.216.1>...
> Joseph wrote:
> > Hi everyone,
> > 
> > Can someone please help me with a grep command? I am looking for a way
> > to display only the last 5 minutes' worth of syslog entries.
> > 
> > This will of course give me the current minute's entries:
> > 
> > grep "`date +\"%b %e %H:%M\"`" /var/log/messages
> > 
> > But I don't know how to construct a regex which will give a range that
> > encomapses the previous 5 minutes instead of just %M.
> > 
> > Any tips on how to do this?
> > 
> > Thanks,
> > 
> > Joseph
> I doubt if it's possible; when you consider 10s of minutes wrapping 
> around the regexp gets complex; when the month wraps around you'll need 
> to generate a new month name.
> Personally, I'd write a perlscript that parses the date from each
> line, and converts it to a time_t  (seconds sinces the Epoch),
> and uses that to decide if the line should be printed.
> 
> If the log file is busy, then the following awk command will work.
> It's a nasty hack; it caculates the time 5 minutes ago, ignoring
> seconds, and then searches the log file for an entry starting
> with that time. Once found, it prints that entry, and all subsequent
> entries. However, if there was no entry for that time, all the
> entries afterwards will be ignored.
> 
> 
> awk '
> BEGIN {
>       pass = 0;
>       search = "^" strftime("%b %d %H:%M", systime() - 5 * 60);
>       }
> {
>       if ($0 ~ search) pass = 1;
>       if (pass) print $0
> }
> END { pass = 0}'
> 
> HTH.
> Colin S. Miller

That works great. 

Thanks.

Joseph