Skip to content

Instantly share code, notes, and snippets.

@dreness

dreness/logfreq.sh

Created September 7, 2021 19:02
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dreness/1de1def13c83d19630ab0646ba8f0597 to your computer and use it in GitHub Desktop.
Save dreness/1de1def13c83d19630ab0646ba8f0597 to your computer and use it in GitHub Desktop.
Download ZIP
macOS log haystack needler
Raw
logfreq.sh
#!/bin/zsh
# set -x
# Reference: https://dreness.com/blog/archives/155773
usage() {
print "$1: Use histograms to explore os_log data.
Usage: $1 [-k logKey] [-l logtime] [-h] [predicate]
-k Calculate frequency of unique values of this log attribute.
Default: processImagePath
-l Only query logs written in the last 'logtime' time period.
This value is passed directly to log's '--last' option.
Default: 2m (two minutes).
-h show this help
The 'predicate' positional argument (if present) is passed directly to 'log'
as the value for the '--predicate' option. This should be a quoted string.
Examples:
# Look Who's Talking? (over the last 24 hours)
% $1 -l 1d
# Look Who's Talking Now? (the default time scope is two minutes)
% $1
# Format Perspective - display the recent unique kinds of log messages from
# Finder
% $1 -k formatString 'process = \"Finder\"'
"
exit 1
}
SCRIPT=$(basename $0)
LOG="/usr/bin/log" # did you know that 'log' is a zsh builtin?
KEY='processImagePath'
LAST='2m'
LOGQ=''
while getopts 'k: l: h' arg; do
case $arg in
k) KEY=$OPTARG;;
l) LAST=$OPTARG;;
h) usage ${SCRIPT}; exit 0;;
esac
done
shift $((OPTIND -1))
#printf "1: %s, 2: %s\n" $1 $2
#print "key: $KEY"
#print "LAST: $LAST"
#print "dollar at: $@"
# Any remaining arguments are used as a log query predicate
if [[ ! -z $1 ]]
then
LOGQ=(--predicate $1)
fi
${LOG} show --info --last "${LAST}" --style ndjson ${LOGQ} | jq ".${KEY}" | sort | uniq -c | sort -n
#log show --last 1m --style json $@ | jq ${F} | awk "/${KEY}/ {print \$2}" | sort | uniq -c | sort -n
#F=$(printf '.[] | select(.%s != "") | {%s}' ${KEY} ${KEY})
#F=$(printf ".%s" ${KEY})
#${LOG} show --last "${LAST}" --style ndjson "$@" | jq ${F} | awk "/${KEY}/ {print \$2}" | sort | uniq -c | sort -n
#${LOG} show --last "${LAST}" --style ndjson "$@" | jq "${F}" | awk "/${KEY}/ {print \$2}"
@dreness
Copy link
Author

dreness commented Oct 28, 2021 

andre@boop % logfreq 
Looking back in time by 2m to count the unique values of processImagePath
 463 "/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds"
 469 "/System/Library/CoreServices/NowPlayingTouchUI.app/Contents/MacOS/NowPlayingTouchUI"
 509 "/System/Library/CoreServices/ControlCenter.app/Contents/MacOS/ControlCenter"
 522 "/usr/libexec/searchpartyd"
 616 "/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/XPCServices/com.apple.hiservices-xpcservice.xpc/Contents/MacOS/com.apple.hiservices-xpcservice"
 643 "/usr/libexec/AirPlayXPCHelper"
 656 "/usr/libexec/locationd"
 847 "/usr/sbin/cfprefsd"
 909 "/kernel.development"
 934 "/usr/libexec/sharingd"
1349 "/usr/sbin/mDNSResponder"
1548 "/System/Applications/Calendar.app/Contents/MacOS/Calendar"
1629 "/System/Applications/Mail.app/Contents/MacOS/Mail"
1739 "/usr/libexec/syspolicyd"
1786 "/Applications/Docker.app/Contents/MacOS/com.docker.backend"
1852 "/System/Library/CoreServices/Siri.app/Contents/MacOS/Siri"
1969 "/usr/libexec/trustd"
2662 "/usr/sbin/bluetoothd"
3110 "/Applications/Slack.app/Contents/MacOS/Slack"
7154 "/System/Library/Services/AppleSpell.service/Contents/MacOS/AppleSpell"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment