0

I wrote a bash script to extract a few Items like the IP addresses that makes the most number of connection attempts, now I want to limit all of this within a time range , lets say the last 5 days/hours.

Example of what I wrote :

-G: Which IP address makes the most number of connection attempts?

if [ "$3" = "-G" ]; then 
 I won't write the whole code ! 
echo "IP address makes the most number of connection attempts: \n"
awk '{print $1}' $4 | sort | uniq -c | sort -r -n | awk '{print $2 "\t" $1}' >> Connections 
cat Connections | head -$2 
 rm Connections

now I want to add this Items

-O: Limit it to last number of hours

-P: Limit it to the last number of days

and I run it like this : sh -O -P -G *.log

example log file:

213.46.27.204 - - [15/Sep/2011:22:55:21 +0100]
213.46.27.204 - - [16/Sep/2011:22:55:21 +0100]
213.46.27.204 - - [17/Sep/2011:22:55:21 +0100]
213.46.27.204 - - [18/Sep/2011:22:55:21 +0100]
213.46.27.204 - - [19/Sep/2011:22:55:21 +0100]

please answer just with bash script not python or perl

we have the last date in the log file and we want to extract the last 5 hour/day so :

I find this scrip that converted the date to unix recognizable format but since I have Mac OSX I could not run it :( do know why ? )

#!/bin/env bash

  temp_date=`cat ./serverlog.log | tail -n1 \
  | cut -d [ -f 2 | cut -d ] -f 1`

  echo "$temp_date"

  temp_date2=`echo $temp_date | \
  sed -e 's/Jan/01/g' \
  -e 's/Feb/02/g' -e 's/Mar/03/g' \
  -e 's/Apr/04/g' -e 's/May/05/g' \
  -e 's/Jun/06/g' -e 's/Jul/07/g' \
  -e 's/Aug/08/g' -e 's/Sep/09/g' \
  -e 's/Oct/10/g' -e 's/Nov/11/g' \
  -e 's/Dec/12/g'`

  echo "$temp_date2"

  temp_year=`echo $temp_date2 | gawk '{print substr($0,7,4)}'`
  temp_month=`echo $temp_date2 | gawk '{print substr($0,4,2)}'`
  temp_day=`echo $temp_date2 | gawk '{print substr($0,1,2)}'`
  temp_time=`echo $temp_date2 | gawk '{print substr($0,12,8)}'`

  #UTC format
  utc_date="$temp_year-$temp_month-$temp_day $temp_time"

  echo "$utc_date"

  reference_seconds=`date --utc -d "$utc_date" +%s`

  echo "$reference_seconds"

I recognized that the last step would be to subtract 5 hours/days from the last date

lastdate(converted) - (5*3600) = X, now we can extract the last 5 hours from log file . last date - ( 5 *24*3600 ) + X, now we can extract the last 5 days from the log file .

now any idea how to exactly write this?

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
matarsak
  • 1
  • 2
  • http://serverfault.com/questions/296555/shell-script-find-entries-in-access-log-with-500-response-within-a-specified-dat – quanta Sep 20 '11 at 09:58
  • it was not what i wanted , I want the Items witihn the last X hours/days ! – matarsak Sep 20 '11 at 19:32
  • I’m voting to close this question because how I miss the "question must show a basic understanding of the problem being discussed" close reason... – Massimo Sep 30 '21 at 23:09

2 Answers2

0

There's a script here that will output the lines within a certain date range. Pipe the output to your program and that's it.

Community
  • 1
Noam Kremen
  • 221
  • 2
  • 7
0

it was not what i wanted , I want the Items within the last X hours/days

  1. Get the last time with:

    endtime=`tail -1 $3 | awk '{ print substr($4, 2, length($4)-1) }'`

  2. Convert it to Epoch time.

  3. starttime is calculated by subtracting the last hours (days) you want to filter from the endtime:

    if [ $1 = "-O" ]; then 
    time=`expr $2 \* 60 \* 60`
fi
if [ $1 = "-P" ]; then 
    time=`expr $2 \*24 \* 60 \* 60`
fi

starttime=`expr endtime.epoch - time`

Refer to this topic which I mentioned above to complete your task.

Community
  • 1
quanta
  • 51,413
  • 19
  • 159
  • 217
  • I wrote the script like this : (for extracting the last 5 hours) time=`expr 60 \* 60 \* 24 \* 5`, EDATE=`tail -1 final`, SDATE=`expr EDATE - time` but it does not work , expr: non-numeric argument any idea what should I write ? – matarsak Sep 22 '11 at 06:52
  • It doesn't work because you didn't convert `EDATE` to Epoch time. And it seems you also lack of the backstick, use `$()` instead. – quanta Sep 22 '11 at 07:11
  • now I have time=$(expr 60 \* 60 \* 24 \* 5) which is 432000 and EDATE=2002-09-26 02:20:30 I wrote SDATE=`expr EDATE - time` it did not run expr: non-numeric argument ( how it could subtract that number from a date ?) shouldn't I use command date --date instead ? if so please tell me how – matarsak Sep 22 '11 at 07:42
  • Convert it to Epoch time with `date +%s`. Didn't you read the above referenced topic? – quanta Sep 22 '11 at 07:48
  • now I convert it 1041425721 but still SDATE=`expr EDATE - time` does not work – matarsak Sep 22 '11 at 08:59
  • 1
    `SDATE=$(expr EDATE - time)`. You should read the document about the basic shell scripting first. – quanta Sep 22 '11 at 09:04