35

let's have 

126 Mar  8 07:45:09 nod1 /sbin/ccccilio[12712]: INFO: sadasdasdas
  2 Mar  9 08:16:22 nod1 /sbin/zzzzo[12712]: sadsdasdas
  1 Mar  8 17:20:01 nod1 /usr/sbin/cron[1826]: asdasdas
  4 Mar  9 06:24:01 nod1 /USR/SBIN/CRON[27199]: aaaasdsd
  1 Mar  9 06:24:01 nod1 /USR/SBIN/CRON[27201]: aaadas

I would like to sort this output by date and time key.

Thank you very much.

Martin

Mejmo
  • 2,363
  • 9
  • 35
  • 54

4 Answers4

68

For GNU sort: sort -k2M -k3n -k4

  • -k2M sorts by second column by month (this way "March" comes before "April")
  • -k3n sorts by third column in numeric mode (so that " 9" comes before "10")
  • -k4 sorts by the fourth column.

See more details in the manual.

Toby Speight
  • 27,591
  • 48
  • 66
  • 103
  • The `-k4` does nothing (it is already covered by the `-k3`). You may wish to use `-s` so that otherwise identical lines (as far as `sort` is concerned) keep the same order that they had in the log file. – bobbogo Mar 09 '11 at 16:17
  • @bobbogo: Actually one may use `-k2M,4`, but it's less… educative:) –  Mar 09 '11 at 21:29
  • @pooh: No. `-k2M,4` applies `M` to this whole sort key, and therefore only the month name willl be used. To see this, add the `--debug` flag. – bobbogo Mar 10 '11 at 12:00
  • @bobbogo: Hm. In the standard it's said: «The other modifiers shall behave like the corresponding options, but shall apply only to the key field to which they are attached; they shall have this effect if specified with field_start, field_end, or both.» Well, **M** type isn't POSIX, so probably the behavior is different. –  Mar 10 '11 at 13:23
  • 1
    @pooh: `-k2M,4` means "use fields 2, 3, and 4 as a _single_ sort field, sorting it as month names." Fine. Problem is, `M` canonicalises any text into month names first, so a field containing text like `Dec 22:33:25 [Hello] ` will become simply `DEC` under the influence of `-M`. – bobbogo Mar 11 '11 at 18:16
  • @bobbogo: I believe you're wrong. I've played with the following file (line by line): Mar Dec/Mar Jan/Dec Mar/Jan Mar. In our case it's sorted lexicographically by the second field. –  Mar 11 '11 at 20:41
  • @pooh: Does your sort have `--debug` (or equivalent). Could you explain what you think `-k2M,4` means? – bobbogo Mar 14 '11 at 13:00
  • @bobbogo: It's just a `sort` from quite recent binutils on Gentoo… I cannot fully grok the documentation now, but i would expect the sort key to be restricted to fields 2,3 and 4, sorting by month in second field and by default in 3 and 4 which is lexicographical. Therefore it seems to be equal to `-k2M -k3 -k4`. I've watched the results of `-Mk1,2`, `-Mk1 -k2`, `-kM1,2` and `-kM1 -k2` in my example. Uh. It's all so vague now for me, i think i should ask the question myself:))) –  Mar 14 '11 at 14:32
  • @pooh: Well, I'm using Cygwin at the mo, and its utilities always seem to be fairly up-to-date (`--debug` is a new one on me). Note that `-k3` means _use the text from the start of field three through to the end of line as a sort key_. If you just want to use _just_ field 3 as a sort key, then that's `-k3,3`. There is always a final sort key added in order to decide tie breaks, and that's the whole of the line (_unless_ you specify `-s` (Sigh!)). `-M` is special. `--debug` is fantastic. – bobbogo Mar 14 '11 at 18:29
  • @bobbogo: `-k3` is third field, because «A field comprises a maximal sequence of non-separating characters» and the default separator is blank. Therefore the field boundary shall be the next separator. –  Mar 14 '11 at 20:30
  • @pooh: Not quite. The syntax is `-k POS1[,POS2]`. If you omit _POS2_ then that means to the end of line. To quote the manual, "To sort on the second field, use `--key=2,2` (`-k 2,2`)." – bobbogo Mar 15 '11 at 11:52
  • @bobbogo: But still the field shall stop on separator (i refer to the POSIX standard. Probably the manual is sly here — because the standard says slightly different thing here). Anyway it's easy to check, your thesis, on that very example i've quoted before. –  Mar 15 '11 at 13:31
  • @pooh: Yes, `--debug` revealed all for me. Take this file: line 1 is `a b Z 2` and line 2 is `a b Z 1`. Now you *must* use the `-s` (stable sort) flag in these tests. `sort -s -k2` gives a different result from `sort -s -k2,2`. – bobbogo Mar 16 '11 at 17:25
  • @bobbogo: I see, so the sorting in my cases could have been the side effect. The problem is there ain't no `-s` in POSIX:) So i must devise other samples… –  Mar 16 '11 at 19:32
  • @pooh: AFAIK, without `-s`, GNU sort adds a final sort key consisting of the _entire_ line. This may be what didtorted your tests. – bobbogo Mar 17 '11 at 11:05
13

little off-topic - but anyway. only useful when working within filetrees

ls -l -r --sort=time

from this you could create a one-liner which for example deletes the oldest backup in town.

ls -l -r --sort=time | grep backup | head -n1 | while read line; do oldbackup=\`echo $line | awk '{print$8}'\`; rm $oldbackup; done;
Baz
  • 36,440
  • 11
  • 68
  • 94
hias
  • 131
  • 2
7

days need numeric (not lexical) sort, so it should be sort -s -k 2M -k 3n -k 4,4

See more details here.

Enamul Hassan
  • 5,266
  • 23
  • 39
  • 56
llhuii
  • 171
  • 2
5

You can use the sort command:

cat $logfile | sort -M -k 2

That means: Sort by month (-M) beginning from second column (-k 2).

bmk
  • 13,849
  • 5
  • 37
  • 46
  • Are you sure? I tried it before. And it also sorted by day and time. It was definitely not necessary to specify columns 3 and 4. See also the sort manpage: "-k, --key=POS1[,POS2] start a key at POS1 (origin 1), end it at POS2 (default end of line)" i.e. the rest of the line is also considered. – bmk Mar 09 '11 at 09:13
  • I've tried on my system with the file in question. Probably the version of sort is different? For the Mar 9 i have the following order (strings containing pids): 27201, 12712, 27199. –  Mar 09 '11 at 10:10
  • So I guess it's really version dependent. I tried it also on an old Solaris machine - and my version did not work (your version did), whereas it worked on openSuse 11.2 (sort (GNU coreutils) 7.1). – bmk Mar 10 '11 at 08:30
  • The thing is that -M is not POSIX. I don't have access to the sun now, i'll check it later. Probably it means something different there? I've tried your command on my gentoo (sort 8.7)... Weird. Could it be something with the locale? –  Mar 10 '11 at 08:58