Log Entry Date Manipulation

(imported topic written by jcsUTSW)

I need to write an analysis that will return the lines from an error log that are from the past 24 hours (if exist)

The log is formatted like this.

01/25/2009 07:04:07 ANS1577I The Windows console event handler received a ‘Logoff’ console event.
01/25/2009 07:04:07 ANS1577I The Windows console event handler received a ‘Logoff’ console event.
01/25/2009 07:04:11 ANS1577I The Windows console event handler received a ‘Logoff’ console event.
01/25/2009 07:04:11 ANS1577I The Windows console event handler received a ‘Logoff’ console event.
01/25/2009 07:04:20 ANS1577I The Windows console event handler received a ‘Shutdown’ console event.
01/25/2009 07:04:20 ANS1577I The Windows console event handler received a ‘Shutdown’ console event.

Any ideas how I can convert that date / time format to something I can subtract from current date and time? If the line is less than 24 hours old then return the line?

Thanks in advance

(imported comment written by BenKus)

Time parsing is always a beast because there are so many formats for times, dates, time zones, etc and often it is very hard to know precisely in certain formats (for instance, what is “02/05/2009 10:35:00”? might it be March 2nd? maybe Feb 5th? also, what time zone?)… We use time formats that are compatible with official “mime datetimes” and if they aren’t in that format, you will need to convert them with string parsing… I did it for you for you here:

q: (((last 2 of first 5 of it as integer as day_of_month) & (first 2 of it as integer as month) & (last 4 of first 10 of it as integer as year)) & ((last 8 of it) as local zoned time_of_day)) of (“01/25/2009 07:04:07”)
A: Sun, 25 Jan 2009 07:04:07 -0800
T: 0.134 ms
I: singular time

So you would incorporate this with something like:

lines whose ((((last 2 of first 5 of it as integer as day_of_month) & (first 2 of it as integer as month) & (last 4 of first 10 of it as integer as year)) & ((last 8 of it) as local zoned time_of_day)) of (first 19 of it) of it > now - 1*day) of file “C:\blah.log”

(I didn’t test this much so you should try it out…)

Ben

(imported comment written by jcsUTSW)

This all works great, thank you for the help.

I do have another question, though… If I needed to return the lines that are X old that contain a specific word how would I do that?

lines whose ((((last 2 of first 5 of it as integer as day_of_month) & (first 2 of it as integer as month) & (last 4 of first 10 of it as integer as year)) & ((last 8 of it) as local zoned time_of_day)) of (first 19 of it) of it > now - 1*day) of file “C:\blah.log”

I need to add this somehow whose (exists (line of it) whose (it contains “my keyword”))

Thanks again

(imported comment written by BenKus)

You can just add and “… AND …” to the existing whose clause that I put in there… for instance:

lines whose ((((last 2 of first 5 of it as integer as day_of_month) & (first 2 of it as integer as month) & (last 4 of first 10 of it as integer as year)) & ((last 8 of it) as local zoned time_of_day)) of (first 19 of it) of it > now - 1*day +AND (it as lowercase contains “my keyword”)+) of file “C:\blah.log”