RegEx, or Regular Expressions, are critical in being able to parse through logs at the CLI. Here are a few examples for different scenarios:
Line starts with….
The ^ denotes the beginning of a line. Many logs begin with a timestamp, so if you want to filter lines for a specific date, this works.
grep '^Jul 7' /var/log/messages
Below we are filtering for a range of dates, July 5-7.
grep '^Jul [5-7]' /var/log/messages
Tip: it’s not a bad idea to run date to confirm the system time before you start filtering for your logs.
Line contains X in date range Y…
If you are looking to see if a message contains a group of words, no regex is needed; you can simply grep the phase in quotes. One method would be to pipe the results we received above for the date range.
grep '^Jul [5-7]' /var/log/messages | grep 'Starting Network Manager'
And the inverse…for a given date range, what lines do NOT include a phrase
grep '^Jul [5-7]' /var/log/messages | grep -v 'Starting Network Manager'
Line includes an error or warning…
grep -iE 'error|warning|critical' /var/log/messages
Lines before or after a specific event…
We can use a surround search to pull events before(-B) or after(-A) the event. Below, we’ll look at 10 lines before a specific event:
grep -B 10 'Jul 7 06:24:26 centos7-2 systemd: Started Network Manager Script Dispatcher Service.' /var/log/messages
And 10 lines after would be:
grep -A 10 'Jul 7 06:24:26 centos7-2 systemd: Started Network Manager Script Dispatcher Service.' /var/log/messages
More usefulness to come…