我使用以下命令来获取日志文件中每秒的最高请求数,并且效果很好。
grep "2017-02-22" "LogFile.log" | cut -c1-20 | uniq -c | sort -n | tail -n1
现在我还想获得每秒最小的请求以及最高数量停留的时间。例如:假设命令的结果是 2000,这是日志文件中每秒的最高请求,我想知道 2000 个请求持续了多长时间?换句话说:如果2000年的峰值发生了,我想知道这个峰值需要多长时间才能下降。
这是日志文件的一部分:
#Start-Date: 2017-02-16 19:49:06
#Date: 2016-10-11 15:16:48
#Fields: date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action c
s-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes
x-virus-id x-bluecoat-application-name x-bluecoat-application-operation
#Remark: 1412140034 "lofnetsg1" "192.168.13.14" "main"
2017-02-16 19:49:06 116154 10.5.13.149 - - - OBSERVED "Non-Viewable/Infrastructure" - 200 TCP_TUNNELED CONNECT - tcp u-amvx4npjuy.wc.yahoo
dns.net 443 / - - "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" 192.168.13.14 660
3 1036 - "none" "none"
2017-02-16 19:49:06 1 10.2.29.41 - - - OBSERVED "Technology/Internet" - 304 TCP_HIT GET application/pkix-crl http www.microsoft.com 80 /pk
i/CRL/products/Microsoft%20Windows%20Hardware%20Compatibility%20PCA(1).crl - crl "Microsoft-CryptoAPI/6.1" 192.168.13.14 568 338 - "none" "
none"
2017-02-16 19:49:06 18 10.1.15.166 - - - OBSERVED "Content Servers" http://www.foxnews.com/ 304 TCP_CLIENT_REFRESH GET text/javascript;cha
rset=UTF-8 http widget-cdn.rpxnow.com 80 /translations/share/en - - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Ge
cko) Chrome/56.0.2924.87 Safari/537.36" 192.168.13.14 487 417 - "none" "none"
2017-02-16 19:49:06 6677 172.16.121.69 - - - OBSERVED "Social Networking;Content Servers" - 200 TCP_TUNNELED CONNECT - tcp pbs.twimg.com 4
43 / - - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" 192.168.13.14 10020
3 1241 - "Twitter" "none"
2017-02-16 19:49:06 1664 10.14.16.67 - - - OBSERVED "Informational;Health" - 200 TCP_TUNNELED CONNECT - tcp www.drugs.com 443 / - - "Mozil
la/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" 192.168.13.14 6313 2281 - "none" "none"
2017-02-16 19:49:06 1095 172.16.121.69 - - - OBSERVED "Web Ads/Analytics" - 200 TCP_TUNNELED CONNECT - tcp as-sec.casalemedia.com 443 / -
- "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" 192.168.13.14 1058 2818 -
"none" "none"
2017-02-16 19:49:06 24282 172.16.121.69 - - - OBSERVED "Web Ads/Analytics" - 200 TCP_TUNNELED CONNECT - tcp dt.adsafeprotected.com 443 / -
- "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" 192.168.13.14 3687 3007 -
"none" "none"
2017-02-16 19:49:06 1 10.2.29.41 - - - OBSERVED "Non-Viewable/Infrastructure" - 304 TCP_HIT GET application/pkix-crl http crl.microsoft.co
m 80 /pki/crl/products/MicrosoftTimeStampPCA.crl - crl "Microsoft-CryptoAPI/6.1" 192.168.13.14 500 304 - "none" "none"
2017-02-16 19:49:06 48 10.2.50.46 - - - OBSERVED "Web Ads/Analytics" - 200 TCP_TUNNELED CONNECT - tcp x.bidswitch.net 443 / - - "Mozilla/5
.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" 192.168.13.14 39 219 - "none" "none"
2017-02-16 19:49:06 26855 172.16.121.69 - - - OBSERVED "Web Ads/Analytics" - 200 TCP_TUNNELED CONNECT - tcp ping.chartbeat.net 443 / - - "
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" 192.168.13.14 699 2727 - "non
e" "none"
2017-02-16 19:49:06 22 10.2.10.172 - - - OBSERVED "Web Ads/Analytics" http://player.radio.com/listen/station/985-the-sports-hub 200 TCP_NC
_MISS GET application/javascript;%20charset=utf-8 http ib.adnxs.com 80 /ttj ?id=10203641&size=300x250&pagetype=ros&promo_sizes=&cb=14872745
46795 - "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" 192.168.13.14 11458 3251 -
"none" "none"
2017-02-16 19:49:06 965 10.32.14.38 - - - OBSERVED "Technology/Internet" - 200 TCP_TUNNELED CONNECT - tcp clients4.google.com 443 / - - "C
hrome WIN 56.0.2924.87 (0e9a9a6f3676ae439b78cd9b3f62b4193c3ac7d5-refs/branch-heads/2924@{#895}) channel(stable)" 192.168.13.14 1455 3073 -
"none" "none"
2017-02-16 19:49:06 939 10.7.18.97 - - - OBSERVED "Health" http://cmri.in/cmri-doctors/ 200 TCP_NC_MISS GET text/html;%20charset=UTF-8 htt
p cmri.in 80 /doctor/dr-mahesh-chowdhury/ - - "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:51.0) Gecko/20100101 Firefox/51.0" 192.168.
13.14 7501 573 - "none" "none"
答案1
以下是获取最多点击持续时间的一种方法:
highest为原始命令分配一个变量:*^添加 grep 模式,将匹配限制为行开头的日期。
highest=$(grep "^2017-02-22" "LogFile.log" | cut -c1-20 | uniq -c | sort -n | tail -n1)
再次使用原始命令,最多uniq,将完整uniq计数列表重定向到tempfile
grep "^2017-02-22" "LogFile.log" | cut -c1-20 | uniq -c >tempfile
tempfile使用grep 搜索 new 中的最大数字,-A1以获取之后的第一行:
grep -A1 "^$highest" tempfile | tail -n1
您可以使用分号 (;) 将它们组合成一行,如下所示:
highest=$(grep "^2017-02-22" "LogFile.log" | cut -c1-20 | uniq -c | sort -n | tail -n1);grep "^2017-02-22" "LogFile.log" | cut -c1-20 | uniq -c >tempfile;grep -A1 "^$highest" tempfile | tail -n1
如果您需要对实际时间差的输出进行日期时间数学运算,则可以将迄今为止的结果捕获到变量中nexttime
nexttime=$(highest=$(grep "^2017-02-22" "LogFile.log" | cut -c1-20 | uniq -c | sort -n | tail -n1);grep "^2017-02-22" "LogFile.log" | cut -c1-20 | uniq -c >tempfile;grep -A1 "^$highest" tempfile | tail -n1)
并用它来计算差异:
highest=$(echo $highest | cut -d' ' -f 3) # get the time field (#3)
nexttime=$(echo $nexttime | cut -d' ' -f 3) # get the time field (#3)
logStart=$(date -u -d "$highest" +"%s") # convert to seconds
logEnd=$(date -u -d "$nexttime" +"%s") # convert to seconds
date -u -d "0 $logEnd sec - $logStart sec" +"%H:%M:%S" # display time difference
同样,您可以使用分号 (;) 将这些语句与上面的其他语句组合起来,或者将其全部放入脚本中。