Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Grep logs for last hour?

    General pfSense Questions
    2
    5
    769
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cylosoft
      last edited by

      I've figured out how to grep the logs for the last day, but I can't find anything that works on pfSense for the last 1 hour. Seems like it shouldn't be hard, but I'm not figuring it out. Any grep experts that can help me?

      Here is my working last 1 day.

      grep -i "Restart" /var/log/resolver.log | grep -e "^date -v-1d +'%b %e'"

      J 1 Reply Last reply Reply Quote 0
      • J
        jrey @Cylosoft
        last edited by

        @Cylosoft

        This should get you started and give you the last hour of records and then further filter that to ones that contain Restart.

        sed -n "/$(date -v -1H +'%b %d %H:%M:')/,/$(date +'%b %d %H:%M:')/p" /var/log/resolver.log | grep -e "Restart"

        I could not test this with resolver.log on my system, not enough noise in that
        file. I did test with filter.log and changed the "Restart" to one of the rules to verify it works as expected.

        As written, it also won't handle a file that has recently rolled over ie file.log.0
        (that is where part of the last hour is in the old file and part in the new)

        also if the start pattern isn't found it may not process to the end pattern, In that case you may need to remove %M: in both locations to have it process just based on hour. (if there are records every minute, it will be fine, if you have minute gaps in records remove the %M:)
        so for example if "now" is 10:14: and there is no record with a 09:14: time stamp the start pattern won't match.

        Have fun.

        1 Reply Last reply Reply Quote 1
        • C
          Cylosoft
          last edited by

          Thanks! I'll give it a try.

          J 1 Reply Last reply Reply Quote 0
          • J
            jrey @Cylosoft
            last edited by jrey

            @Cylosoft

            it depends on what you are really after

            the sed example will provide you with the previous hour starting - going back from the current time to the same time in the previous hour.

            You could also just ask for the entire hour for the previous hour, regardless of when you start it in the current hour.

            this would give you the detail of every record

            grep "$(date -v -1H +'%b %d %H:')" /var/log/resolver.log | grep "Restart"

            if you just want to know how many times without seeing the records

            grep "$(date -v -1H +'%b %d %H:')" /var/log/resolver.log | grep -c "Restart"

            There are 10's if not 100's of ways to do this, depending on what you are really trying to accomplish.

            same issue here, if the previous hour has rolled over into (file.log.0)

            C 1 Reply Last reply Reply Quote 2
            • C
              Cylosoft @jrey
              last edited by Cylosoft

              @jrey said in Grep logs for last hour?:

              You could also just ask for the entire hour for the previous hour, regardless of when you start it in the current hour.

              this would give you the detail of every record

              grep "$(date -v -1H +'%b %d %H:')" /var/log/resolver.log | grep "Restart"

              This worked out perfectly for what I was doing. Thanks.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.