AWK

Sample

#判斷秒數超過幾秒
tail -f mongod.log | awk '{ if(int($(NF)) > 1000 ){print $0 }  }'

#判斷error log錯誤超過多少頻率時，發送mail警報
BEGIN{
    FS="[,]" #設定欄位間隔
    PERIOD_TIME=3600    #一小時一週期(期間)
    ISMAIL=0            #期間內發送mail次數
    ERROR_LIMIT=30      #期間內錯誤上限
}
{
    #print $NF
    #group 取得錯誤等級
    match($1,/(Notice:|Warning:|ERROR:|Fatal error:).*/,err_lv)

    match($1,/[0-9][0-9]-[A-Z][a-z][a-z].*/)
    if(RSTART>0){

        #字串取得timestamp值
        dateTimeStr = substr($1, 2,20)
        split(dateTimeStr,dateTimeArr,"[-: ]")
        match("JanFebMarAprMayJunJulAugSepOctNovDec",dateTimeArr[2])
        dateTimeArr[2] = sprintf("%02d",(RSTART+2)/3)
        secs = mktime(dateTimeArr[3]" "dateTimeArr[2]" "dateTimeArr[1]" "dateTimeArr[4]" "dateTimeArr[5]" "dateTimeArr[6])
        #print secs , "###", $1 ,"/////", $2

        # 每一個小時為一個區間
        if( FNR<=1 || secs > thisHour+PERIOD_TIME){
            ISMAIL=0
            thisHour = mktime(dateTimeArr[3]" "dateTimeArr[2]" "dateTimeArr[1]" "dateTimeArr[4]" "00" "00)
            print thisHour ,"總計"
            print "Notice:",strftime("%c",thisHour),errorCount[thisHour "Not"  ],"次"
            print "Warning:",strftime("%c",thisHour),errorCount[thisHour "War"  ],"次"
            print "ERROR:",strftime("%c",thisHour),errorCount[thisHour "ERR"  ],"次"
            print "Fatal error::",strftime("%c",thisHour),errorCount[thisHour "Fat"  ],"次"
        }
        #print thisHour

        errorCount[thisHour "" substr(err_lv[1],1,3) ]++

        print err_lv[1],strftime("%c",thisHour),errorCount[thisHour "" substr(err_lv[1],1,3) ],"次"

        #發信
        if( ISMAIL<1 && ( errorCount[thisHour "ERR"  ] >  ERROR_LIMIT || errorCount[thisHour "Fat"  ] >  ERROR_LIMIT)  ){
            print "send email"
            system("mailx -s \"ERR OVER LIMIT\" [email protected]<<eof" RS "時間內錯誤超過" ERROR_LIMIT "次" RS "eof")
            ISMAIL++
        }
    }else{
        #print $NF
    }

}
END{
    for( i in errorCount){
        print i,errorCount[i],strftime("%c",i)
    }
}