Match date on logfile and print line with awk

Question

I have a log file that may have the following lines among 100 other lines

hosta: Info: Tue Nov 25  19:44:39 2014>
User jwayman at position 170.198.3.141 disconnected 

hosta: Info: Tue Nov 23  19:44:39 2014>
User jho at position 170.198.3.141 disconnected 

hosta: Info: Tue Nov 26  19:44:39 2014>
User jho at position 170.198.3.141 disconnected 

I need to look for occurrences of "disconnected" and then if the date ( from the line above it ) matches the today's date then I want to print the following information:

user jho disconnected from server "hosta"

So I need to pull data from both lines and then do something with it. I was thinking of doing this in a array and assign all occurrences to variables in array. But I hope that someone can introduce an easier way of doing this, maybe with a grep and awk.

Answer 1

You can use the following:

awk -v today="$(date "+%a %b %d")" '$3 FS $4 FS $5 == today {f=1; next}
                                    f && /disconnected/ {print}
                                    f=0 ' file

Explanation

• $(date "+%a %b %d") returns on the format Wed Nov 26.
• $3 FS $4 FS $5 == today {f=1; next} checks is the current line has this format. If so, a flag f is activated.
• f && /disconnected/ {print} if the flag is set and the line contains disconnected, then prints it.
• f=0 unsets the flag.

Test

Sample file:

$ cat a
hosta: Info: Tue Nov 25  19:44:39 2014>
User jwayman at position 170.198.3.141 disconnected 

hosta: Info: Tue Nov 23  19:44:39 2014>
User jho at position 170.198.3.141 disconnected 

hosta: Info: Wed Nov 26  19:44:39 2014>
User jho at position 170.198.3.141 disconnected 

hosta: Info: Wed Nov 26  19:44:39 2014>
User jho at position 170.198.3.141 here

Check the script:

$ awk -v today="$(date "+%a %b %d")" '$3 FS $4 FS $5 == today {f=1; next} f && /disconnected/ {print} f=0 ' a
User jho at position 170.198.3.141 disconnected 

Answer 2

With GNU awk for gensub() and time functions:

$ awk -v RS= '
    BEGIN { today=strftime("%a%b%d") }
    (($3$4$5)==today) && /disconnected/ {
        print $8, $9, $NF, "from server \"" gensub(/:/,"\"","",$1)
    }
' file
User jho disconnected from server "hosta"

Answer 3

Same concept as fedorqui (he beat me to the post by a few minutes) but with the exact output you asked for as opposed to just the input disconnected line.

awk -v date="$(date "+%a %b %d")" '$2 == "Info:" {
                                       if ($3" "$4" "$5==date) {
                                           s=$1; sub(/:$/,"",s)
                                       } else {
                                           s=""
                                       }
                                       next
                                   }
                                   s && ($NF == "disconnected") {
                                       print "user",$2,"disconnected from server \""s"\""
                                       s=""
                                       next
                                   }'

Explanation:

• $2 == "Info: are we looking at an Info line
  • if ($3" "$4" "$5==date) { is this line for today
  • s=$1; sub(/:$/,"",s) assign the server to s and strip off the trailing colon
  • else this is a line for some other day
  • s="" unset our server variable.
  • next skip to the next line
• s && ($NF == "disconnected") do we have a saved server and is this a disconnection line
  • print "user",$2,"disconnected from server \""s"\"" print the desired output
  • s="" unset our server variable.
  • next skip to the next line