log parsing with sed or grep

Question

I want to grab data from this kind of log.

Nov 12 13:46:14 Home cxxd[8892]: 208 11/12 13:46:14| qc=IN (1), qt=A (1), query="www.yahoo.com."

Implemented this which gives me the URL. But does not work with "TAIL -F" so that I could monitor live just the urls.

tail -100 /var/log/system.log | grep "query=" | sed -e "s/.*query=//" | sed -e "s/\"//g" | sed -e "s/.$/ /"

Please suggest or enhance

Answer 1

I expect your multiple sed scripts do work with tail -F output, just not as you expect.

The C standard IO libraries will perform buffering to improve performance. The IO library can do (a) no buffering (b) line-buffering (c) block-buffering. The line-buffering is normally chosen if the output is going to a terminal. But if the output is going to a file or pipe, then block buffering is normally chosen. (It's more complicated than this -- the behavior changes if the file descriptor in question is being used for stdout or stderr or another file. See setvbuf(3) for full details.)

So, while the block-buffering you're seeing now is probably better for performance, it does mean you can wait a while before ever seeing any output, as each command will eventually accumulate a block of data. At least grep(1) allows the --line-buffered command line option to use line-buffering -- and sed(1) allows the --unbuffered command line option to flush output buffers more often. So try this:

tail -f /var/log/system.log | grep --line-buffered "query=" | sed -u -e "s/.*query=//" | sed -u -e "s/\"//g" | sed -u -e "s/.$/ /"

(I didn't find any similar options for tail(1), but even if it sends blocks of data to the others, the changes to grep(1) and sed(1) will drastically help.)