Log file checking with date

cmbc 2022-05-24 09:13:43 UTC #1

Hello,

i’m trying to search for a specific line in a log file, i have already get the right line with this

q: (maxima of (it as date) of (following text of last “-” of it & " " & preceding text of first “-” of following text of first “-” of it as integer as month as three letters & " " & preceding text of first “-” of it) of (preceding text of first " " of it) of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file "D:\install-virgo-win64.log"
A: Mon, 23 May 2022

Now i would like to check if this line is older than some hours ago but i stuck:

q: ((maxima of (it as date) of (following text of last “-” of it & " " & preceding text of first “-” of following text of first “-” of it as integer as month as three letters & " " & preceding text of first “-” of it) of (preceding text of first " " of it) of lines containing "E: SpApi::updateEnginesConfig: Operation failed" of it) of file “D:\install-virgo-win64.log”) whose (it < (now - 6day))
E: The operator “less than” is not defined.

I’ve simple add

whose (it < (now - 6day))
expecting a simple comparison of date…

Does anyone can help me? Thansk for your help

ageorgiev 2022-05-24 09:31:06 UTC #2

Well, the problem you have is the type of output - you are producing type “date” where “now - 6 * day” is of type “time”, and you can’t compare them directly. What you want to do is “current date - 6 * day” instead but you may want to check the logic - whose is generally used for filtering multiple results, so are you expecting to be multiple rows? If not you can just compare the left-most result:

(it < (current date - 6 * day)) of (maxima of (it as date) of (following text of last “-” of it & " " & preceding text of first “-” of following text of first “-” of it as integer as month as three letters & " " & preceding text of first “-” of it) of (preceding text of first " " of it) of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”

If it is in fact multiple rows from the same day, then “whose” would work.

cmbc 2022-05-24 09:41:59 UTC #3

thank you, it looks promisings but i need to compare also time but my relevance do not extract the time, only the date, do you have an idea on how to proceed, here is the raw log:

2022-05-23 11:11:46.948 [1d64.1fa4] *E: SpApi::updateEnginesConfig: Operation failed

Thanks for your great help

cmbc 2022-05-24 10:03:22 UTC #4

i stuck here:

q: (preceding text of first " [" of “2022-05-23 11:11:46.948 [1d64.1fa4] *E: SpApi::updateEnginesConfig: Operation failed”)
A: 2022-05-23 11:11:46.948

I’m looking for a king of StringToDate function…

ageorgiev 2022-05-24 10:24:45 UTC #5

If you are happy comparing just the date and don’t care of the time, then what you have will work. Just change what you are comparing to from “now” to “current date”… Try this:

(it < (current date - 6 * day)) of (maxima of (it as date) of (following text of last “-” of it & " " & preceding text of first “-” of following text of first “-” of it as integer as month as three letters & " " & preceding text of first “-” of it) of (preceding text of first " " of it) of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”

((maxima of (it as date) of (following text of last “-” of it & " " & preceding text of first “-” of following text of first “-” of it as integer as month as three letters & " " & preceding text of first “-” of it) of (preceding text of first " " of it) of lines containing “E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”) whose (it < (current date - 6 * day))

cmbc 2022-05-24 10:25:52 UTC #6

hello, no i need to compare also time (1 hour older trigger)
thank you

I’m nearly good:

(substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of “2022-05-23 11:11:46.948 [1d64.1fa4] *E: SpApi::updateEnginesConfig: Operation failed”)

cmbc 2022-05-24 10:39:15 UTC #7

q: (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file "D:\install-virgo-win64.log"
A: Mon, 23 May 2022 11:11:46 +0200

I’m trying to find now how to see if older than 1 hour and last occurence for sure…

cmbc 2022-05-24 10:47:48 UTC #8

stuking here:

q: maxima of it of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file "D:\install-virgo-win64.log"
E: Singular expression refers to non-unique object.

It should be unique as maxima is used, isn’t it?

anosther stuck

q: (it < (current date - 1*hour)) of (maxima of (it as date) of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it)) of file "D:\install-virgo-win64.log"
E: The operator “date” is not defined.

where a simple query give:

q: (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file "D:\install-virgo-win64.log"
A: Mon, 23 May 2022 11:11:46 +0200

ageorgiev 2022-05-24 11:05:04 UTC #9

Need to convert it to “time” after you compiled it as string:

maxima of (it as time) of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”

And since you are doing the comparison by “time”, you should go back to using “now”:
(it < (now - 1*hour)) of maxima of (it as time) of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”

cmbc 2022-05-25 07:27:15 UTC #10

Hello, it doesn’t work:

q: (it < (now - 1*hour)) of maxima of (it as time) of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file "D:\install-virgo-win64.log"
E: The operator “time” is not defined.

q: maxima of (it as time) of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file "D:\install-virgo-win64.log"
E: The operator “time” is not defined.

trn 2022-05-25 09:12:25 UTC #11

What do you get from

(substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file "D:\install-virgo-win64.log"

Do the results of that all look like strings that will convert to time?

cmbc 2022-05-25 09:13:45 UTC #12

Hello, thanks for help, i get this

q: (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file "D:\install-virgo-win64.log"
A: Mon, 23 May 2022 11:11:46 +0200
E: Singular expression refers to non-unique object.

trn 2022-05-25 09:38:15 UTC #13

OK, so you have singular relevance but not getting exactly 1 result.

Try

(substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding texts of firsts " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “D:\install-virgo-win64.log”

cmbc 2022-05-25 10:45:55 UTC #14

it give that, so i need the last one to check if it’s older than 1 hour ago… (11:51)

q: (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding texts of firsts " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file "D:\install-virgo-win64.log"
A: Mon, 23 May 2022 11:11:46 +0200
A: Mon, 23 May 2022 11:31:48 +0200
A: Mon, 23 May 2022 11:51:46 +0200
T: 1.934 ms

trn 2022-05-25 11:05:28 UTC #15

So, now you are getting results from your file extract relevance, you can start to extend it again to firstly convert the results to type ‘time’, then find the latest event and/or test to see if there is an event within 1 hour

(it as time) of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding text of first " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file "D:\install-virgo-win64.log"

etc.

cmbc 2022-05-25 11:06:22 UTC #16

thanks, i finally found the end

q: if (exists file “C:\ProgramData\F-Secure\Log\Ultralight\install-virgo-win64.log”) then ((it > (now - 1*hour)) of maxima of (substring (8,2) of it as day_of_month & substring (5,2) of it as integer as month & first 4 of it as year & substring (11,8) of it as local zoned time_of_day) of (preceding texts of firsts " [" of lines containing “*E: SpApi::updateEnginesConfig: Operation failed” of it) of file “C:\ProgramData\F-Secure\Log\Ultralight\install-virgo-win64.log”) else false
A: False

Thanks for the great help!