i’m trying to search for a specific line in a log file, i have already get the right line with this
q: (maxima of (it as date) of (following text of last “-” of it & " " & preceding text of first “-” of following text of first “-” of it as integer as month as three letters & " " & preceding text of first “-” of it) of (preceding text of first " " of it) of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log” A: Mon, 23 May 2022
Now i would like to check if this line is older than some hours ago but i stuck:
q: ((maxima of (it as date) of (following text of last “-” of it & " " & preceding text of first “-” of following text of first “-” of it as integer as month as three letters & " " & preceding text of first “-” of it) of (preceding text of first " " of it) of lines containing "E: SpApi::updateEnginesConfig: Operation failed" of it) of file “D:\install-virgo-win64.log”) whose (it < (now - 6day)) E: The operator “less than” is not defined.
I’ve simple add
whose (it < (now - 6day))
expecting a simple comparison of date…
Well, the problem you have is the type of output - you are producing type “date” where “now - 6 * day” is of type “time”, and you can’t compare them directly. What you want to do is “current date - 6 * day” instead but you may want to check the logic - whose is generally used for filtering multiple results, so are you expecting to be multiple rows? If not you can just compare the left-most result:
(it < (current date - 6 * day)) of (maxima of (it as date) of (following text of last “-” of it & " " & preceding text of first “-” of following text of first “-” of it as integer as month as three letters & " " & preceding text of first “-” of it) of (preceding text of first " " of it) of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”
If it is in fact multiple rows from the same day, then “whose” would work.
thank you, it looks promisings but i need to compare also time but my relevance do not extract the time, only the date, do you have an idea on how to proceed, here is the raw log:
If you are happy comparing just the date and don’t care of the time, then what you have will work. Just change what you are comparing to from “now” to “current date”… Try this:
(it < (current date - 6 * day)) of (maxima of (it as date) of (following text of last “-” of it & " " & preceding text of first “-” of following text of first “-” of it as integer as month as three letters & " " & preceding text of first “-” of it) of (preceding text of first " " of it) of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”
OR
((maxima of (it as date) of (following text of last “-” of it & " " & preceding text of first “-” of following text of first “-” of it as integer as month as three letters & " " & preceding text of first “-” of it) of (preceding text of first " " of it) of lines containing “E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”) whose (it < (current date - 6 * day))
hello, no i need to compare also time (1 hour older trigger)
thank you
I’m nearly good:
(substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of “2022-05-23 11:11:46.948 [1d64.1fa4] *E: SpApi::updateEnginesConfig: Operation failed”)
q: (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”
A: Mon, 23 May 2022 11:11:46 +0200
I’m trying to find now how to see if older than 1 hour and last occurence for sure…
q: maxima of it of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”
E: Singular expression refers to non-unique object.
It should be unique as maxima is used, isn’t it?
anosther stuck
q: (it < (current date - 1*hour)) of (maxima of (it as date) of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it)) of file “D:\install-virgo-win64.log”
E: The operator “date” is not defined.
where a simple query give:
q: (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”
A: Mon, 23 May 2022 11:11:46 +0200
Need to convert it to “time” after you compiled it as string:
maxima of (it as time) of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”
And since you are doing the comparison by “time”, you should go back to using “now”:
(it < (now - 1*hour)) of maxima of (it as time) of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”
q: (it < (now - 1*hour)) of maxima of (it as time) of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”
E: The operator “time” is not defined.
q: maxima of (it as time) of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”
E: The operator “time” is not defined.
(substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file "D:\install-virgo-win64.log"
Do the results of that all look like strings that will convert to time?
q: (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”
A: Mon, 23 May 2022 11:11:46 +0200
E: Singular expression refers to non-unique object.
OK, so you have singular relevance but not getting exactly 1 result.
Try
(substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding texts of firsts " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”
it give that, so i need the last one to check if it’s older than 1 hour ago… (11:51)
q: (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding texts of firsts " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”
A: Mon, 23 May 2022 11:11:46 +0200
A: Mon, 23 May 2022 11:31:48 +0200
A: Mon, 23 May 2022 11:51:46 +0200
T: 1.934 ms
So, now you are getting results from your file extract relevance, you can start to extend it again to firstly convert the results to type ‘time’, then find the latest event and/or test to see if there is an event within 1 hour
(it as time) of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file "D:\install-virgo-win64.log"
q: if (exists file “C:\ProgramData\F-Secure\Log\Ultralight\install-virgo-win64.log”) then ((it > (now - 1*hour)) of maxima of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding texts of firsts " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “C:\ProgramData\F-Secure\Log\Ultralight\install-virgo-win64.log”) else false
A: False