AWK/SED Multiple pattern matching over multiple lines issue
ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
AWK/SED Multiple pattern matching over multiple lines issue
I have to construct a maintenance program, part of this program is the interrogation of log files.
Ordinarily a grep or sed would sort me right out however this problem has a few other restrictions.
I have to initially get the current date from the system and then match this to entries in a log file. Not a problem, already done. However once I have located a matching line I then have to step over the next lines looking for another pattern and, if found, write these entries to a file. I can ONLY use either grep, sed or awk to do this. I believe awk will do it no problem however I am not familiar with all it's aspects. An example of the data may help:
test.log:
2006 Nov 06 18:01:25:538 GMT +1 userQueue - Job-18494
s/QueryLog]: located user queue on line 654 of system 5432
2006 Nov 06 18:03:25:538 GMT +1 userQueue - Job-18494
s/QueryLog]: located user queue on line 654 of system 5432
2006 Nov 06 18:04:25:538 GMT +1 userQueue - Job-18494
s/QueryLog]: located user queue on line 654 of system 5432
2006 Nov 06 18:06:25:538 GMT +1 userQueue - Job-18494
s/QueryLog]: located user queue on line 654 of system 5432
2006 Nov 06 18:07:25:538 GMT +1 userQueue - Job-18494
s/QueryLog]: located user queue on line 654 of system 5432
2006 Nov 06 18:08:26:179 GMT +1 userQueue - [Unknown
] - Severity: 2; Category: ; ExceptionCode: ; Message: unable to create new nati
ve thread; Parameters: <n/a>; Stack Trace: Job-18507 Error in userQueue
java.lang.OutOfMemoryError: unable to create new native thread
I need to extract the corresponding line(s) relating to the OutOfMemoryError and date! e.g. output should look like:
(date) (filename) (error)
2006 Nov 06 userQueue java.lang.OutOfMemoryError: unable to create new native thread
It's not entirely clear to me which lines exactly you're trying to filter out of the file. So here are few commands that I think/hope may help...
Code:
# Get all lines that start with $date and also
# contains "OutOfMemoryError". Just grep will do
# in that case.
#
grep "^$date.*OutOfMemory" log.txt
# Get all lines between (and including) the
# first that starts with $date until the first line
# after that which contains "OutOfMemoryError"
# (possibly starts with a different date)
#
sed -n "/^$date/,/OutOfMemoryError/p" log.txt
# Get all lines between (and including) the
# first that starts with $date until the first line
# after that which starts with $date and
# also contains "OutOfMemoryError".
#
sed -n "/^$date/,/^$date.*OutOfMemoryError/p" log.txt
Just a minor tip: getting the date of today in that format is easier and executing faster this way:
Thanks for your time, response and advice regarding getting the date.
I am trying to filter out the entire file. All I need is the line that is identified as having a date, that matches the current date, and is preceeded by the 'OutOfMemory' error string. Which in most cases will be 4 lines below the matched date line.
My primary problem is that when I make a search I get a list of all instances that have the date value.
The date field is not a unique identifier. The relationship between the date and error is the unique part!
I have to construct a maintenance program, part of this program is the interrogation of log files.
Ordinarily a grep or sed would sort me right out however this problem has a few other restrictions.
I have to initially get the current date from the system and then match this to entries in a log file. Not a problem, already done. However once I have located a matching line I then have to step over the next lines looking for another pattern and, if found, write these entries to a file. I can ONLY use either grep, sed or awk to do this. I believe awk will do it no problem however I am not familiar with all it's aspects. An example of the data may help:
test.log:
2006 Nov 06 18:01:25:538 GMT +1 userQueue - Job-18494
s/QueryLog]: located user queue on line 654 of system 5432
2006 Nov 06 18:03:25:538 GMT +1 userQueue - Job-18494
s/QueryLog]: located user queue on line 654 of system 5432
2006 Nov 06 18:04:25:538 GMT +1 userQueue - Job-18494
s/QueryLog]: located user queue on line 654 of system 5432
2006 Nov 06 18:06:25:538 GMT +1 userQueue - Job-18494
s/QueryLog]: located user queue on line 654 of system 5432
2006 Nov 06 18:07:25:538 GMT +1 userQueue - Job-18494
s/QueryLog]: located user queue on line 654 of system 5432
2006 Nov 06 18:08:26:179 GMT +1 userQueue - [Unknown
] - Severity: 2; Category: ; ExceptionCode: ; Message: unable to create new nati
ve thread; Parameters: <n/a>; Stack Trace: Job-18507 Error in userQueue
java.lang.OutOfMemoryError: unable to create new native thread
I need to extract the corresponding line(s) relating to the OutOfMemoryError and date! e.g. output should look like:
(date) (filename) (error)
2006 Nov 06 userQueue java.lang.OutOfMemoryError: unable to create new native thread
Since you are looking for a pattern on a single line containing both the date and "Out of Memory", these could both be contained in a regular expression pattern. Just put a ".*" pattern inbetween the two patterns.
Or you could use grep twice: "grep 'pattern1' logfile | grep 'pattern2'" to produce an intersection of the two patterns.
There are three other things you can use with sed. The -n option will suppress output unless you use the print command. The -e option allows you to enter more then a single command ( As demonstrated by poster Hko above ). You can use brackets to use subpatterns inside // slashes to further fine tune the search. This may allow you to first select lines with the current date, and then create different files which filter different patterns.
If you have a gawk-doc package, you might want to install it. It includes the book "Gawk: Effective AWK Programming."
HKO your solution worked great on a single entry log file I tested, however sed died with a "sed: Memory allocation failed." error when tested on a real 8MB file. Any suggestions?
Last edited by GigerMalmensteen; 11-27-2006 at 04:20 AM.
HKO your solution worked great on a single entry log file I tested, however sed died with a "sed: Memory allocation failed." error when tested on a real 8MB file. Any suggestions?
Here's a different, simpler approach. It will still read in entire files into memory, but it's not sed who has to that.
If the script above doesn't have the memory problem (I expect it doesn't, but I have tried it on large files), it's a much cleaner solution than your "ugly" one IMHO.
Once again thanks for your response. Just to let you know 'tac' doesn't come as standard with the SunOS version I am using. So the elegant solution you proposed can't be used :?
As you have several steps to accomplish your task, I guess the best tool for your needs is awk: first, identify the messages of the day, second cat all the physical lines that compound the logical one, decide if it is to be reported and finally cut the slices you want to display.
Below I show you an script which does the above steps:
Code:
#!/bin/sh
DATE=`date +"%Y %b %d"`
DATE="2006 Nov 06" # to test your test.log
cat *.log | \
awk 'BEGIN { date = "'"$DATE"'" }
function check_output()
{
#
# check for error report on the assembled line
#
if ((ind = match(line, /Error in /)) != 0)
{
# ind points to the string "Error in "
ind += 9 # go to post string
# get the portion of the line which
# contains the file and error message
tmp = substr(line, ind)
# get the separator between file and error
ind = index(tmp, ":")
file = substr(tmp, 1, ind - 1)
error = substr(tmp, ind + 1)
# printing the 3 fields separated by [TAB]
printf("%s\t%s\t%s\n", date, file, error)
}
line = ""
}
{ # main loop
if (index($0, date) != 0)
{
# if the line starts with the date
# check to see if there is one
# already assembled
if (length(line) != 0)
check_output()
# Initialize a new line
line = $0
}
else
{
# if the line does not start with
# the date, check to see if there
# is already a line in process. If
# positive, cat the input to the
# line. Otherwise, discard it.
if (length(line) != 0)
line = line " " $0
}
}
END {
# End of file, we could have an
# assembled line; go and check it
if (length(line) != 0)
check_output()
}'
It would all be very easy and elegant (not to mention pretty fast) to use perl:
Code:
#!/usr/bin/perl -w
use strict;
my $last_date = "unknown";
while(<>) {
if ( /^(\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d:\d\d\d \w\w\w ([+\-]\d)?)/ ) {
$last_date = $1;
}
if ( /OutOfMemoryError/ ) {
print "Out of memory detected at line $. - date = $last_date\n";
next;
}
}
You would run this on the logfiles by saving it to a file, e.g. "mylogscan", changing the mode of logscan to be executable:
Code:
chmod 755 mylogscan
And then executing with the filename of the log (or multiple logfiles if you like) as arguments to the program:
Code:
./mylogscan logfile1 logfile2 logfile3
A little Perl de-mystification might help to know how it's working:
use strict; just means complain a lot about potentially risky code. It's generally a good idea to use this.
Code:
while(<>) { ... }
The mysterious object here for Perl virgins is the <>. <SOMETHING> is Perl's way to read one line from the file handle SOMETHING. If you don't specify a SOMETHING, Perl opens files names as arguments to the script in turn (names in the array @ARGV), reads lines from them, closes them, opens the next file etc. If you don't specify any files as arguments to the script, Perl will read from standard input. Lines read in this manner get put in the variable $_. <> returns true until the end of possible input, at which point your while loop will terminate.
This line is the most likely, in my opinion, to have Perl virgins running for the hills screaming. The bit between the slashes is a Perl style regular expression. \d mean "a digit", \w means a "word" character (letters and _). So this stuff between the slashes means "four digits, a space, four word characters, two digits, a colon etc. The [+\-] is a way of saying a + or a - character, the ? means "the previous bit, is optional". Brackets group expressions together and if there is a match, the matched values are assigned to $1 for the first set of brackets, $2 for the second set etc. By default, regular expressions are matched against the $_ variable, which is set to the line read from <> as described above. the /expression/ returns true if a match is found. Phew! In short all this means "look for something which looks like a date, and if you find it, put the matched value in $1, which we then save in the variable $last_date."
The rest is pretty self explanatory I think.
Perl's syntax is highly abbreviated for this sort of task because it's exactly the sort of thing that needs to be done a lot. It saves a lot of typing at the expense of scaring off newbies.
Perl eats gigabytes of log files for breakfast, and still has room left for more! Long live Perl!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
