1 Reply Latest reply on Apr 16, 2018 7:11 AM by Aparna Valsala

    Linux - Count occurrences of string in logfile (Last X minutes)

    jbiggley

      I became frustrated after finding a server that wasn't running the standard Perl scripts that are posted on Thwack for log file parsing so I did some googling and hacked together a new Shell script.

       

      WARNING:  I am a hack scripter so take this with a grain of salt.

       

      #!/usr/bin/sh
      
      #USAGE: sh ${script} [path] ["string"]
      #Example: sh ${script} /var/log/message "login failed"
      
      # Created on 11 Jan 2018 by J Biggley
      # Adapted from https://www.alfredtong.com/linux/grep-log-file-last-5-minutes-contents-every-5-minutes-linux/
      
      CHECK=$(awk -v d1="$(date --date="-5 min" "+%b %_d %H:%M")" -v d2="$(date "+%b %_d %H:%M")" '$0 > d1 && $0 < d2 || $0 ~ d2' "$1" | grep -i "$2")
      CHECKCOUNT=$(awk -v d1="$(date --date="-5 min" "+%b %_d %H:%M")" -v d2="$(date "+%b %_d %H:%M")" '$0 > d1 && $0 < d2 || $0 ~ d2' "$1" | grep -ci "$2")
      
      
      if [ ${CHECKCOUNT} = 0 ]; then
              echo "Statistic: 0"
              echo "Message: No instances found"
      else
              echo "Statistic: ${CHECKCOUNT}"
              echo "Message: ${CHECKCOUNT} instances found"
      fi
      

       

      I have successfully tested it.

       

      PRO TIP:  If you can execute the script local to the server but the script returns 0 results via testing the component in SAM then make sure you have given the proper rights to the account you are using to SSH to the server.  You can use the following command line to update those rights.

       

      setfacl -m u:[username]:r [log file]
      Example: setfacl -m u:solarwinds:r /var/log/messages