rquery(https://github.com/fuyuncat/rquery/releases) 是搜索日志的完美工具。
您可以像 SQL 查询一样使用rq。
在您的情况下,字段可以按空格分隔,然后将前 3 个字段构造为完整日期。
[ rquery]$ cat samples/logdates.txt
Oct 13 17:35:25 AriaDezh filterlog: 1054<1>,82,,,0,lo0,special string,pass,in,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS
Oct 13 17:36:25 AriaDezh filterlog: 1055<1>,83,,,0,lo0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS
Oct 13 17:37:25 AriaDezh filterlog: 1055<1>,83,,,0,lo0,special string,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS
Oct 13 17:38:25 AriaDezh filterlog: 1055<1>,83,,,0,lo0,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS
Oct 13 17:39:25 AriaDezh filterlog: 1055<1>,83,,,0,lo0,special string,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS
[ rquery]$ ./rq -q "p d/ / | s @raw | f @1+' '+@2+' 2022 '+@3>='Oct 13 2022 17:36:25' and @1+' '+@2+' 2022 '+@3<='Oct 13 2022 17:38:25' and @raw like '*special string*'" samples/logdates.txt -m error
Oct 13 17:37:25 AriaDezh filterlog: 1055<1>,83,,,0,lo0,special string,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,127.0.0.1,127.0.0.1,50191,14382,0,S,1420028472,,65228,,mss;nop;wscale;sackOK;TS