grep logs between two dates and contain specific string in linux-CodePudding

I have log file like this

Oct 11 2022 17:00:00 AriaDezh filterlog: 1054<1>,82,,,0,lo0,match,pass,in,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS 

Oct 12 2022 17:00:00 AriaDezh filterlog: 1055<1>,83,,,0,lo0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS

Oct 13 2022 17:00:00 AriaDezh filterlog: 1055<1>,83,,,0,lo0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.1.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS

Oct 14 2022 17:00:00 AriaDezh filterlog: 1055<1>,83,,,0,lo0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS

I want dateTimes compared and get logs that are between two dateTimes and contain 192.168.1.1

grep -F /2022-10-12T16:00:00/ /2022-10-13T18:00:00/ '192.168.1.1'

the expected result would be like that

Oct 13 2022 17:00:00 AriaDezh filterlog: 1055<1>,83,,,0,lo0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.1.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS

How can I do that ?

CodePudding user response：

rquery(https://github.com/fuyuncat/rquery/releases) is perfect tool to search logs. You can use rq like a SQL query. In your case, the fields can be split by space, then constructure the first 3 fields as a complete date.

[ rquery]$ cat samples/logdates.txt
Oct 13 17:35:25 AriaDezh filterlog: 1054<1>,82,,,0,lo0,special string,pass,in,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS
Oct 13 17:36:25 AriaDezh filterlog: 1055<1>,83,,,0,lo0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS
Oct 13 17:37:25 AriaDezh filterlog: 1055<1>,83,,,0,lo0,special string,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS
Oct 13 17:38:25 AriaDezh filterlog: 1055<1>,83,,,0,lo0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS
Oct 13 17:39:25 AriaDezh filterlog: 1055<1>,83,,,0,lo0,special string,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS
[ rquery]$ ./rq -q "p d/ / | s @raw | f @1 ' ' @2 ' 2022 ' @3>='Oct 13 2022 17:36:25' and @1 ' ' @2 ' 2022 ' @3<='Oct 13 2022 17:38:25' and @raw like '*special string*'" samples/logdates.txt -m error
Oct 13 17:37:25 AriaDezh filterlog: 1055<1>,83,,,0,lo0,special string,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS

CodePudding user response：

Using GNU awk for the mktime() function.

awk -v start='2022 10 12 16 00 00' -v end='2022 10 13 18 00 00' '
function month2num(mon ){
     return sprintf("d", (index("JanFebMarAprMayJunJulAugSepOctNovDec", mon) 2)/3)
 }

{ dt=$3" "month2num($1)" "$2" "$4; gsub(/:/," ", dt) }

mktime(dt)>=mktime(start) && mktime(dt)<=mktime(end) && /192\.168\.1\.1/' infile