Hi dnaqvi,
If understand correctly you've stated that you start a new log file every 12 hours.
The pattern we've been talking about will count the overall total of whatever type of messages you specify, in a single log file, each time you use the pattern,
without any concern for the hour in the message .
Let's say that you are able to use the pattern in a script, and manage to run the script, exactly at the time, after the last message for one hour is put in the log file, and before the first message for the next hour is put in the log file. Then, for a particular type of message, with this list of counts for the first few hours of the day as an example, the counts would work like this:
Code:
hour count which occurred *that* hour pattern would return this count
==== ================================== ===============================
0 10 10
1 15 25
2 25 50
3 10 60
It will only do that for a single log file. As soon as you start a new log file, the count returned by a pattern used for a particular type of message, will start over at zero.
So, if you want a continuously increasing count, then you'll need to save the count you got from one log file, and add it to the count from the next log file.
If for some reason, it's easier for you to add up the total, by getting the count for
each specific hour according to the time in the message for a particular type of message, that can be done using commands like these:
Code:
$ the_hour=`date +%H`
$ echo $the_hour
23
$ egrep '^(([^\ ]+)([\ ]+))'${the_hour}'(((:[0-9]+)){3})((([\ ]+)([^\ ]+)){3})([\ ]+)(A)' sys.log
[3/29/10 23:01:46:113 PDT] 00000093 LdapRegistryI A SECJ0419I: The user registry is currently connected to the LDAP server ldap://00.00.00.00:123.
Again, I'm using the log messages you've provided, but I changed the hour in some of them so that there are some messages for each hour of some day. When I started typing this it was between the 23rd hour ( 11 PM ) and the end of the day, in the local time zone. So the special format on the date command, just outputs the hour of the day from 0 through 23, in this case 23, which is then assigned to variable the_hour. If you put the command in the script, it could used to select the same hour for each pattern for each type of message.
If you were to use that with what we'd talked about before, and just using only error and advisory messages as an example, with the pattern for a
specific hour according to the time in the message, it might look something like:
Code:
the_hour=`date +%H`
error_count=`egrep '^(([^\ ]+)([\ ]+))'${the_hour}'(((:[0-9]+)){3})((([\ ]+)([^\ ]+)){3})([\ ]+)(E)' sys.log | sort -k6 -u | wc -l`
advisory_count=`egrep '^(([^\ ]+)([\ ]+))'${the_hour}'(((:[0-9]+)){3})((([\ ]+)([^\ ]+)){3})([\ ]+)(A)' sys.log | sort -k6 -u | wc -l`
total_count=`expr $advisory_count \+ $error_count`
echo "There were $error_count error messages, $advisory_count advisory messages, $total_count together."
But in case you did need to do something like that, please keep in mind that by using the date command, the patterns would look for messages from whatever hour it is when the script runs, even if it's run near the end of an hour, something delays it's running, and it actually runs just after the start of a new hour.
You could also pass in the hour for which you want to search to be absolutely sure you get the right hour.
Whichever way you need to do things, hope this helps.
