[systemd-devel] Fastest way to dump last X Mo of logs from the journal ?
Etienne Champetier
champetier.etienne at gmail.com
Wed Apr 24 18:48:56 UTC 2024
Hi all,
sos report includes the last X Mo of logs, sometimes filtered, sometimes not
right now it's doing the equivalent of "journalctl | tail -cXm", which
reads / format all logs, which can be extremely slow
The fastest way I found so far is:
journalctl --reverse | head -c Xm | tac
This still has the drawback of having all logs in memory, or if using
a temporary file, needing 2*X of disk space.
I've tried to play with journalctl cursor to find the start and then
output starting from the cursor
1) this doesn't work / CURSOR is only created when using -n
journalctl --reverse --cursor-file=CURSOR | head -c Xm > /dev/null
2) this ends up being ~2 times slower than just using reverse | head | tac
```
#!/bin/bash
cursor=$(mktemp cursor.XXXXXXXXXX)
logsize=0
while [ "$logsize" -lt 104857600 ]
do
prevcursor="$(<$cursor)"
((logsize+=$(journalctl --reverse --cursor-file=$cursor -n 1000 | wc -c)))
[ "$prevcursor" == "$(<$cursor)" ] && break
done
journalctl --cursor-file=$cursor
rm -f cursor
```
Anyone have other ideas to do fast exports without having all logs in
memory or twice on disk ?
sos report ticket: https://github.com/sosreport/sos/issues/3615
More information about the systemd-devel
mailing list