How to grep a group of files within a specific time range

Question

I'm trying to write a script used on a buffer box that does full packet capture of network traffic. As it's for a fairly big network we split the captures into 100MB segments. At times of high network traffic oftentimes over a one minute period we will have multiple pcaps which cover that period.

So what I want to do is have a bash script that lets the analyst who is searching for something specify a date and time and how many minutes either side of it they want to search for files. Obviously I can do something like this -

ls -al | grep "Dec  1" | grep 02:00
ls -al | grep "Dec  1" | grep 02:01

and so on, get each result and grep each file individually for the specific keyword I'm looking for, but I'd like to be able to do a wider search for all files created within a time range and then grep each of them for the keyword.

I'm not entirely sure how to do that, any help would be appreciated.

Answer 1

What I want is for an analyst to say 1st December at 11:00am with a keyword of "foo" searching 5 minutes either side. The script should find all files created between 10:55am and 11:05am and grep them for the keyword "foo"

This script uses touch -d to create temporary files with time stamps of the start and end of the time range, because older versions of find have the option -newer only, not -newermt, and touch -d conveniently allows using the given time specification (with little modification) with the minutes adjustment. The necessary modifications to the given date are done with sed and consist of moving the day after the month and removing suffixes as st or nd as well as the word at.

read -p'date and time: ' dat
read -p'+/- minutes: ' min
read -p'keyword: ' key
dat=`sed 's/\([0-9]\+\)\(st\|nd\|rd\|th\|\) \([^ ]*\)/\3 \1/; s/at //' <<<$dat`
touch -d"$dat $min min" /tmp/to
touch -d"$dat -$min min" /tmp/from
find . -type f -newer /tmp/from ! -newer /tmp/to | xargs grep "$key"
rm /tmp/from /tmp/to

Answer 2

find . -maxdepth 1 -newermt "2013-10-28 00:00:00" ! -newermt "2013-10-29 00:00:00"

Answer 3

Say you want 20131130 from 0100 to 0130 - This does that with find:

touch -t 201311300100 dummy1
touch -t 201311300130 dummy2 
find /path/to/logs type -f \( -newer dummy1 -a ! -newer dummy2 \) -name '*.log'

the 201311300100 bit is a touch timestring. I posted the most vanilla version I know because of the UNIX tag....

Answer 4

Check out find with the -cmin or -ctime arguments.

So,

find -iname "*.log" -mtime +30 -mtime -90 -exec grep plasma {} \;

, would find files ending in ".log" which were modified greater than 30 days ago, but less than 90 days, then run said file through grep looking for the word "plasma".