Linux | 日志查找和日志切割

前言

在linux上查找日志的時候，如果我想找出某個時間段的日志，比如查找今天早上8點到下午2點的日志。
用grep不太方便直接過濾出來，可以使用sed根據時間去查找

sed -n '/開始時間日期/,/結束時間日期/p' all.log

查找日志

比如下面這段日志,前面的時間格式都是類似 2019-10-21 07:44:20

2019-10-24 21:33:31,678 [django.request:93] [base:get_response] [WARNING]- Not Found: /http:/123.125.114.144/
2019-10-24 21:33:31,679 [django.server:124] [basehttp:log_message] [WARNING]- "HEAD http://123.125.114.144/ HTTP/1.1" 404 1678
2019-10-24 22:14:04,121 [django.server:124] [basehttp:log_message] [INFO]- code 400, message Bad request version ('HTTP')
2019-10-24 22:14:04,122 [django.server:124] [basehttp:log_message] [WARNING]- "GET ../../mnt/custom/ProductDefinition HTTP" 400 -
2019-10-24 22:16:21,052 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/login HTTP/1.1" 301 0
2019-10-24 22:16:21,123 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/login/ HTTP/1.1" 200 3876
2019-10-24 22:16:21,192 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/img/main_bg.png HTTP/1.1" 200 2801
2019-10-24 22:16:21,196 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/iconfont/style.css HTTP/1.1" 200 1638
2019-10-24 22:16:21,229 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/img/bg.jpg HTTP/1.1" 200 135990
2019-10-24 22:16:21,307 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/iconfont/fonts/icomoon.ttf?u4m6fy HTTP/1.1" 200 6900
2019-10-24 22:16:23,525 [django.server:124] [basehttp:log_message] [INFO]- "POST /api/login/ HTTP/1.1" 302 0
2019-10-24 22:16:23,618 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/index/ HTTP/1.1" 200 18447
2019-10-24 22:16:23,709 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/js/commons.js HTTP/1.1" 200 13209
2019-10-24 22:16:23,712 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/css/admin.css HTTP/1.1" 200 19660
2019-10-24 22:16:23,712 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/css/common.css HTTP/1.1" 200 1004
2019-10-24 22:16:23,714 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/js/app.js HTTP/1.1" 200 20844
2019-10-24 22:16:26,509 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/report_list/1/ HTTP/1.1" 200 14649
2019-10-24 22:16:51,496 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/test_list/1/ HTTP/1.1" 200 24874
2019-10-24 22:16:51,721 [django.server:124] [basehttp:log_message] [INFO]- "POST /api/add_case/ HTTP/1.1" 200 0
2019-10-24 22:16:59,707 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/test_list/1/ HTTP/1.1" 200 24874
2019-10-24 22:16:59,909 [django.server:124] [basehttp:log_message] [INFO]- "POST /api/add_case/ HTTP/1.1" 200 0
2019-10-24 22:17:01,306 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/edit_case/1/ HTTP/1.1" 200 36504
2019-10-24 22:17:06,265 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/add_project/ HTTP/1.1" 200 17737
2019-10-24 22:17:07,825 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/project_list/1/ HTTP/1.1" 200 29789
2019-10-24 22:17:13,116 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/add_config/ HTTP/1.1" 200 24816
2019-10-24 22:17:19,671 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/config_list/1/ HTTP/1.1" 200 19532

比如我要查找上面的從 2019-10-24 22:16:21 到 2019-10-24 22:16:59 這個時間段的日志

sed -n '/2019-10-24 22:16:21/,/2019-10-24 22:16:59/p' all.log

[root@VM_0_2_centos logs]# sed -n '/2019-10-24 22:16:21/,/2019-10-24 22:16:59/p' all.log
2019-10-24 22:16:21,052 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/login HTTP/1.1" 301 0
2019-10-24 22:16:21,123 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/login/ HTTP/1.1" 200 3876
2019-10-24 22:16:21,192 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/img/main_bg.png HTTP/1.1" 200 2801
2019-10-24 22:16:21,196 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/iconfont/style.css HTTP/1.1" 200 1638
2019-10-24 22:16:21,229 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/img/bg.jpg HTTP/1.1" 200 135990
2019-10-24 22:16:21,307 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/iconfont/fonts/icomoon.ttf?u4m6fy HTTP/1.1" 200 6900
2019-10-24 22:16:23,525 [django.server:124] [basehttp:log_message] [INFO]- "POST /api/login/ HTTP/1.1" 302 0
2019-10-24 22:16:23,618 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/index/ HTTP/1.1" 200 18447
2019-10-24 22:16:23,709 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/js/commons.js HTTP/1.1" 200 13209
2019-10-24 22:16:23,712 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/css/admin.css HTTP/1.1" 200 19660
2019-10-24 22:16:23,712 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/css/common.css HTTP/1.1" 200 1004
2019-10-24 22:16:23,714 [django.server:124] [basehttp:log_message] [INFO]- "GET /static/assets/js/app.js HTTP/1.1" 200 20844
2019-10-24 22:16:26,509 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/report_list/1/ HTTP/1.1" 200 14649
2019-10-24 22:16:51,496 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/test_list/1/ HTTP/1.1" 200 24874
2019-10-24 22:16:51,721 [django.server:124] [basehttp:log_message] [INFO]- "POST /api/add_case/ HTTP/1.1" 200 0
2019-10-24 22:16:59,707 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/test_list/1/ HTTP/1.1" 200 24874
[root@VM_0_2_centos logs]# 

看起來使用很簡單，但是會有很大坑，比如時間后面的/p不能漏掉了

遇到的坑

比如下面這段日志,前面的時間格式都是類似 12/16 07:44:20,需進行轉義查詢

sed -n '/12\/16 14:00:15/,/12\/16 15:40:15/p' pafa.log

開始時間和結束時間必須要是日志里面有的，要是沒有的時間，那查找就沒有結果，這個我也被坑過，看網上的教程都是這句，但評論里面總有人說沒成功。
后來經過實踐，指令是沒有問題的，只是開始時間和結束時間必須要是日志里面有才行。

如果開始時間日志里面是沒有的，那么查詢結果為空，比如開始時間沒有2019-10-24 22:16:22

sed -n '/2019-10-24 22:16:22/,/2019-10-24 22:16:59/p' all.log

如果結束時間日志里面是沒有的，查詢的結果就是開始時間到最后的全部日志

sed -n '/2019-10-24 22:16:21/,/2019-10-24 22:16:58/p' all.log

模糊查詢

如果不知道日志的開始時間，不能精確到秒，可以用模糊查詢,比如查詢時間段2019-10-24 22:14 到 2019-10-24 22:16

sed -n '/2019-10-24 22:14:*/,/2019-10-24 22:16:*/p' all.log

[root@VM_0_2_centos logs]# sed -n '/2019-10-24 22:14:*/,/2019-10-24 22:16:*/p' all.log
2019-10-24 22:14:04,121 [django.server:124] [basehttp:log_message] [INFO]- code 400, message Bad request version ('HTTP')
2019-10-24 22:14:04,122 [django.server:124] [basehttp:log_message] [WARNING]- "GET ../../mnt/custom/ProductDefinition HTTP" 400 -
2019-10-24 22:16:21,052 [django.server:124] [basehttp:log_message] [INFO]- "GET /api/login HTTP/1.1" 301 0
[root@VM_0_2_centos logs]# 

也可以按小時模糊查詢

sed -n '/2019-10-24 21*/,/2019-10-24 22*/p' all.log

結合grep查詢

sed 也可以結合 grep 使用，比如我查詢上面日志某個時間段的帶有 POST 的日志行

sed -n '/2019-10-24 22:16:21/,/2019-10-21 20:16:58/p' all.log | grep POST

[root@VM_0_2_centos logs]# sed -n '/2019-10-24 22:16:21/,/2019-10-21 20:16:58/p' all.log | grep post
[root@VM_0_2_centos logs]# sed -n '/2019-10-24 22:16:21/,/2019-10-21 20:16:58/p' all.log | grep POST
2019-10-24 22:16:23,525 [django.server:124] [basehttp:log_message] [INFO]- "POST /api/login/ HTTP/1.1" 302 0
2019-10-24 22:16:51,721 [django.server:124] [basehttp:log_message] [INFO]- "POST /api/add_case/ HTTP/1.1" 200 0
2019-10-24 22:16:59,909 [django.server:124] [basehttp:log_message] [INFO]- "POST /api/add_case/ HTTP/1.1" 200 0
2019-10-24 22:17:19,864 [django.server:124] [basehttp:log_message] [INFO]- "POST /api/add_case/ HTTP/1.1" 200 0
[root@VM_0_2_centos logs]# 

日志導出

我們可以查詢某個時間段的日志，導出到本地

sed -n '/2019-10-24 22:16:21/,/2019-10-21 20:16:58/p' all.log > yoyo.log

[root@VM_0_2_centos logs]# sed -n '/2019-10-24 22:16:21/,/2019-10-21 20:16:58/p' all.log > yoyo.log
[root@VM_0_2_centos logs]# ll
total 1740
-rw-r--r-- 1 root root 1907 Oct 24 22:54 11.txt
-rw-r--r-- 1 root root 1081515 Oct 24 23:04 all.log
-rw-r--r-- 1 root root 686962 Oct 24 23:04 script.log
-rw-r--r-- 1 root root 3053 Oct 24 23:08 yoyo.log
[root@VM_0_2_centos logs]# 

日志大文件切割

1.切割文件
1）使用split分割大文件
原文件為圖所

1:)命令按照行數分割 分割后的文件自動加上后綴名 --verbose參數顯示進度。
# split -l 10000 -d pafa.log new-file_ --verbose
如果所示,按照10000行進行切割：![默認生成的新文件以字母排序]

-d參數為新生成的文件使用數字的后綴。如圖：

2:）按照字節大小進行分割
命令：split -b 100M -d pafa.log new-file_ --verbose

![以每個文件40mb分割，-d參數為新生成的文件使用數字的后綴]

3）合並文件
命令：cat newfile_* > catfile.log