Searching for an error in a log for the last 24 hours or current day

Question

I have a log, 'test.log', and I want to output only the last 24 hours, or the current days (since midnight) lines where the word 'ERROR' appears.

The contents of the log with the match, look like this:

Wed Mar 22 04:20:05 UTC 2017 - ERROR - something has gone wrong. Please check.

I have tried the following, however instead of the last 24 hours, I get all lines in the log where the word 'ERROR' appears.

awk -v d="$(date -d '24 hours ago' +'%a %b %d %T %Z %Y')" '$1" "$2>=d &&/ERROR/' test.log

I've also tried

awk -v d="$(date -d 'today' +'%a %b %d %T %Z %Y')" '$1" "$2>=d &&/ERROR/' test.log

and

awk -v d="$(date -d '1 day ago' +'%a %b %d %T %Z %Y')" '$1" "$2>=d &&/ERROR/' test.log

with the same result.

I need this to work without having to give it the exact date I'm searching for as it will be set up in cron to find the ERROR lines for the last 24 hours (or since midnight) and email the output to me.

Thanks!

Answer 1

To get all of the error messages for the current day would just be whichever of these you prefer:

grep "^$(date +'%a %m %d').*ERROR" file
awk -v date="$(date +'%a %m %d')" '$0 ~ "^"date".*ERROR"' file

Answer 2

In GNU awk using function mktime and systime:

$ awk '               
BEGIN{
    FS="[ :]"                        # multichar FS
    split("Jan Feb Mar Apr",m," ")   # add months here
    for(i in m)                      # flip keys and vals 
        mm[m[i]]=sprintf("%02d", i)  # zeropad month #s
        st=systime()                 # remember now
}
{
    t=mktime($8 " " mm[$2] " " $3 " " $4 " " $5 " " $6)
    if(t > st-86400)                 # now I'm sure. lol
        print                        # print if cool
}' file
Wed Mar 22 04:20:05 UTC 2017 - ERROR - something has gone wrong. Please check.

Answer 3

Try this awk script:

BEGIN {
    IFS = "-"
    cmd = "date +%s --date=\"24 hours ago\""
    cmd | getline threshold
    close(cmd)
}
/ERROR/ {
    cmd = "date +%s --date='" $1 "'";
    cmd | getline stamp
    close(cmd)
    if (stamp >= threshold) print
}

Run this using:

awk -f above_script_file_name log_file

Change 24 hours ago to 00:00 for current days' log lines with ERROR since midnight.

Answer 4

You should not compare the first two words of the date, but rather the second and the third. Also, remember that this is a string comparison, so a substring of a longer string will always sort first.