Re: [systemd-devel] Fastest way to dump last X Mo of logs from the journal ?
Le jeu. 25 avr. 2024 à 08:38, Lennart Poettering a écrit : > > On Do, 25.04.24 12:49, Andy Pieters (syst...@andypieters.me.uk) wrote: > > > On Thu, 25 Apr 2024 at 12:48, Lennart Poettering > > wrote: > > > > > On Mi, 24.04.24 14:48, Etienne Champetier (champetier.etie...@gmail.com) > > > wrote: > > > > > > > > > what is "last X Mo" supposed to mean? is "mo" supposed to mean months? > > > thus: show logs from a given number of most recent months? if so, just > > > use: > > > > > > megabytes (mega octets in French) > > oh, wow. weird. My bad, yes I meant MB/megabytes > > megabytes of what though? of formatted text? or of a journal file on disk? > > such a weird request... that would be formatted text, even if not the most efficient this is what is in an sos report today. 'sos report' generates an archive with as much information as possible to give to your support team / dev team, you want as much log as possible but by default you need a reasonable size limit so that you don't fill up your ticketing system. The size limit doesn't need to be extremely precise. Etienne > Lennart > > -- > Lennart Poettering, Berlin
Re: [systemd-devel] Fastest way to dump last X Mo of logs from the journal ?
On Do, 25.04.24 12:49, Andy Pieters (syst...@andypieters.me.uk) wrote: > On Thu, 25 Apr 2024 at 12:48, Lennart Poettering > wrote: > > > On Mi, 24.04.24 14:48, Etienne Champetier (champetier.etie...@gmail.com) > > wrote: > > > > > > what is "last X Mo" supposed to mean? is "mo" supposed to mean months? > > thus: show logs from a given number of most recent months? if so, just > > use: > > > > megabytes (mega octets in French) oh, wow. weird. megabytes of what though? of formatted text? or of a journal file on disk? such a weird request... Lennart -- Lennart Poettering, Berlin
Re: [systemd-devel] Fastest way to dump last X Mo of logs from the journal ?
On Thu, 25 Apr 2024 at 12:48, Lennart Poettering wrote: > On Mi, 24.04.24 14:48, Etienne Champetier (champetier.etie...@gmail.com) > wrote: > > > what is "last X Mo" supposed to mean? is "mo" supposed to mean months? > thus: show logs from a given number of most recent months? if so, just > use: > > megabytes (mega octets in French)
Re: [systemd-devel] Fastest way to dump last X Mo of logs from the journal ?
On Mi, 24.04.24 14:48, Etienne Champetier (champetier.etie...@gmail.com) wrote: > Hi all, > > sos report includes the last X Mo of logs, sometimes filtered, > sometimes not what is "last X Mo" supposed to mean? is "mo" supposed to mean months? thus: show logs from a given number of most recent months? if so, just use: journalctl --since=-3month Lennart -- Lennart Poettering, Berlin
Re: [systemd-devel] Fastest way to dump last X Mo of logs from the journal ?
> On 24 Apr 2024, at 19:48, Etienne Champetier > wrote: > > Anyone have other ideas to do fast exports without having all logs in > memory or twice on disk ? Maybe base on time not size? Then you can use the --since option. Barry
[systemd-devel] Fastest way to dump last X Mo of logs from the journal ?
Hi all, sos report includes the last X Mo of logs, sometimes filtered, sometimes not right now it's doing the equivalent of "journalctl | tail -cXm", which reads / format all logs, which can be extremely slow The fastest way I found so far is: journalctl --reverse | head -c Xm | tac This still has the drawback of having all logs in memory, or if using a temporary file, needing 2*X of disk space. I've tried to play with journalctl cursor to find the start and then output starting from the cursor 1) this doesn't work / CURSOR is only created when using -n journalctl --reverse --cursor-file=CURSOR | head -c Xm > /dev/null 2) this ends up being ~2 times slower than just using reverse | head | tac ``` #!/bin/bash cursor=$(mktemp cursor.XX) logsize=0 while [ "$logsize" -lt 104857600 ] do prevcursor="$(<$cursor)" ((logsize+=$(journalctl --reverse --cursor-file=$cursor -n 1000 | wc -c))) [ "$prevcursor" == "$(<$cursor)" ] && break done journalctl --cursor-file=$cursor rm -f cursor ``` Anyone have other ideas to do fast exports without having all logs in memory or twice on disk ? sos report ticket: https://github.com/sosreport/sos/issues/3615
