Hi,

Each line of file contains a timestamp value(ex: 2012-01-16 14:43:23) which denotes the time at which a particular action was performed.

I want to extract the logs for all the actions performed in the last 2 hours using awk. That is, where timestamp should greater currentTime - 2 hours exactly.

(Ex: if currentTime=2012-01-16 15:30:01, extract all records where timestamp > 2012-01-16 13:30:01).

Thanks in advance.

Why awk ? Ruby (or similar scripting language) would make this trivial as there would be no need to modify the input line. For instance:

#!/usr/bin/env ruby

require 'time'

two_hours = 60 * 60 * 2

while line = gets
    ts = Time.parse(line.chomp)
    now = Time.now
    if now - ts < two_hours
        puts "#{line} is less than two hours ago"
    end
end

Which produces the following

2012-01-17 06:15:12 is less than two hours ago
2012-01-17 07:15:12 is less than two hours ago

when provided

2012-01-17 04:15:12
2012-01-17 05:15:12
2012-01-17 06:15:12
2012-01-17 07:15:12

Thanks for the reply.

Actually i using awk to extract all lines matching multiple patterns and then perform some action on those lines. One of the pattern is the timestamp value.

The line looks something like:
BL: | LL: ERROR | TS: 2011-12-23 10:15:31,085 | AR: RxC_06.00.39.01 | .... | :EL

My awk command looks like
awk '/ERROR/ && !/:EL/ && /TIMESTAMP_VALUE/ {some action}' file_name

I don't want to use a separate script to compare time difference between current time and timestamp value in the line and then perform the action depending upon the outcome of the comparison script. I have already implemented that.

Looking for a method to pass the timestamp range value as a pattern but that should be contrained to exactly 2 hours from current time.

Alright. Well, you have two options then. Modify the code I pasted to handle the input lines you are dealing with (trivial since Ruby supports regular expressions as part of the language) or massage the contents of your input such that awk can handle them. You are going to want to use mktime (if you are using GNU awk) which expects an input in the following format: YYYY MM DD HH MM SS [DST] .

This article has been dead for over six months. Start a new discussion instead.