ETL Session 03: Log Processing

# Find all errors
grep ERROR /tmp/app.log

# Find errors OR warnings
grep -E 'ERROR|WARN' /tmp/app.log

# Case insensitive
grep -i error /tmp/app.log

# Lines NOT matching
grep -v INFO /tmp/app.log

# Show context around matches
grep -B 1 -A 1 ERROR /tmp/app.log  # 1 line before and after
grep -C 2 ERROR /tmp/app.log       # 2 lines context

# Extract just the IP addresses
grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' /tmp/app.log

# Extract hostnames from brackets
grep -oE '\[[a-z]+-[0-9]+\]' /tmp/app.log | tr -d '[]'

# Replace ERROR with [ERROR]
sed 's/ERROR/[ERROR]/' /tmp/app.log

# Global replacement (all occurrences)
sed 's/kvm/KVM/g' /tmp/app.log

# Delete INFO lines
sed '/INFO/d' /tmp/app.log

# Keep only ERROR lines
sed '/ERROR/!d' /tmp/app.log

# Extract timestamp and level
sed -n 's/\(.*\) \(INFO\|WARN\|ERROR\) .*/\1 \2/p' /tmp/app.log

# Reformat timestamp
sed 's/T/ /' /tmp/app.log | sed 's/\([0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}\).*/\1/'

# Count by log level
awk '{level[$2]++} END {for (l in level) print l, level[l]}' /tmp/app.log

INFO 4
WARN 2
ERROR 3

# Extract host from brackets, count
awk -F'[][]' '{hosts[$2]++} END {for (h in hosts) print h, hosts[h]}' /tmp/app.log

# Errors per minute
grep ERROR /tmp/app.log | \
  awk -F'[T:]' '{minute=$1":"$2":"$3; errors[minute]++}
    END {for (m in errors) print m, errors[m]}' | sort

# Most common error messages
grep ERROR /tmp/app.log | \
  awk -F'] ' '{print $2}' | \
  sort | uniq -c | sort -rn | head -5

echo "=== ERROR REPORT ==="
echo "Generated: $(date)"
echo ""
echo "Errors by host:"
grep ERROR /tmp/app.log | \
  awk -F'[][]' '{hosts[$2]++} END {for (h in hosts) printf "  %s: %d\n", h, hosts[h]}'
echo ""
echo "Recent errors:"
grep ERROR /tmp/app.log | tail -3 | sed 's/^/  /'

awk '
  {
    total++
    level[$2]++
    # Extract host
    match($0, /\[([a-z]+-[0-9]+)\]/, arr)
    if (arr[1]) hosts[arr[1]]++
  }
  END {
    print "Total entries:", total
    print "\nBy level:"
    for (l in level) printf "  %s: %d\n", l, level[l]
    print "\nBy host:"
    for (h in hosts) printf "  %s: %d\n", h, hosts[h]
  }' /tmp/app.log

# Real-time error alerting (simulated)
grep ERROR /tmp/app.log | while read line; do
  host=$(echo "$line" | grep -oE '\[[a-z]+-[0-9]+\]' | tr -d '[]')
  msg=$(echo "$line" | awk -F'] ' '{print $2}')
  echo "ALERT: $host - $msg"
done