Search for log having value greater than certain time

Question

Below is the sample log:

2020-10-14 00:05:44,621 debug  [org.jboss.as] ...............
2020-10-14 00:05:45,560 debug  [org.jboss.as] ...............
2020-10-14 00:05:46,222 debug  [org.jboss.as] ...............
2020-10-14 00:05:46,608 debug  [org.jboss.as] ...JBoss .... server is started ............

Below is the desired output:

2020-10-14 00:05:46,608 debug  [org.jboss.as] ...JBoss .... server is started ............

When I use awk if it is exact time it will display the output otherwise it not displaying the output. Below is the code:

Not displaying output:

awk /'2020-10-14 00:05:46,607'/ '/home/notyo/application.log' | grep -e 'JBoss.*started'

Displaying output:

awk /'2020-10-14 00:05:46,608'/ '/home/notyo/application.log' | grep -e 'JBoss.*started'

2020-10-14 00:05:46,608 debug  [org.jboss.as] ...JBoss ....  server is started ............

Besides that I got to find a solution. Below works but not as expected.

Displaying output as expected:

grep -e 'JBoss.*started' '/home/notyo/application.log' | awk '$0 >= "2020-10-14 00:05:46,608"'

2020-10-14 00:05:46,608 debug  [org.jboss.as] ...JBoss .... server is started ............

Displaying output. Expecting that it should not display as using >

grep -e 'JBoss.*started' '/home/notyo/application.log' | awk '$0 > "2020-10-14 00:05:46,608"'

2020-10-14 00:05:46,608 debug  [org.jboss.as] ...JBoss .... server is started ............

Can I know why such behaviour. Could you advice what is the correct approach?

Answer 1

If you compare the strings with $0 > "2020-10-14 00:05:46,608", it will compare the string 2020-10-14 00:05:46,608 debug [org.jboss.as] ...JBoss .... server is started ............ with a string 2020-10-14 00:05:46,608 which returns true.

In order to compare only date and time portion, please try instead:

grep -e 'JBoss.*started' '/home/notyo/application.log' | awk '($1" "$2) > "2020-10-14 00:05:46,608"'

If you want to include the exact time above, please replace > with >=, which also works as you expect.

Answer 2

Your command:

awk '$0 > "2020-10-14 00:05:46,608"'

is not working because you're comparing full record against date-time string, but you should be comparing ($1 " " $2) against date-time string like this:

awk '($1 " " $2) > "2020-10-14 00:05:46,607"' file.log
2020-10-14 00:05:46,608 debug  [org.jboss.as] ...JBoss server is started ............

---

For proper time comparison, you may use this awk command with a call to mktime to convert date string into EPOCH time and then adding milli-sec value separately:

cat srchlog.awk

function convt(ts, ms) {
    ms = ts
    sub(/.*,/, "", ms)
    gsub(/[-:,]/, " ", ts)
    return mktime(ts) + ms/1000
}
BEGIN {
   sval = convt(dt)
}
/JBoss.*started/ && convt($1 " " $2) > sval

Then use it as:

awk -v dt='2020-10-14 00:05:46,607' -f srchlog.awk file.log

2020-10-14 00:05:46,608 debug  [org.jboss.as] ...JBoss server is started ............

And then:

awk -v dt='2020-10-14 00:05:46,608' -f srchlog.awk file.log
# no output