'Kubernetes logs dump for some time range
Is it possible to obtain Kubernetes logs for a dedicated time range?
All I can do right now is to make a dump of about the last-hour log for the single pod using kubectl logs > dump.log cmd.
But for debugging reasons, it's necessary to obtain the logs for the last week. I was unable to find any abilities to do this in Kubernetes logs.
The only thought is to attach some external service like Kibana for the logs collection, but maybe built-in Kubernetes remedies allow to do this?
Thank you.
Solution 1:[1]
...the last-hour log for the single pod
To retrieve last 1 hour log you can do this kubectl logs <pod> --since=1h. Asserted from kubectl help for more options:
--since=0s: Only return logs newer than a relative duration like 5s, 2m, or 3h. Defaults to all logs. Only one of since-time / since may be used.
--since-time='': Only return logs after a specific date (RFC3339). Defaults to all logs. Only one of since-time / since may be used.
--tail=-1: Lines of recent log file to display. Defaults to -1 with no selector, showing all log lines otherwise 10, if a selector is provided.
Solution 2:[2]
Is it possible to obtain Kubernetes logs for a dedicated time range?
Yes, it is possible and in many different ways.
The only thought is to attach some external service like Kibana for the logs collection, but maybe built-in Kubernetes remedies allow to do this?
Both are possible. However, it all depends on the specific case which will be better. Chris Doyle put it well in his comment:
it would depend on your log retention and roll over strategy you have in your cluster, generally you would need to consider node space especially when nodes are running multiple pods etc. Generally speaking my prefered strategy is to have short retention period on the node side and push log off to a centralised solution like you mentioned with elk, splunk, datadog, loki etc
Of course, the built-in k8s tools will also be able to help you. You have to use a command for that kubectl logs with the properly flags. You can read about all opions in the manual:
This could be most interesting part:
--since=0: Only return logs newer than a relative duration like 5s, 2m, or 3h. Defaults to all logs. Only one of since-time / since may be used. --since-time="": Only return logs after a specific date (RFC3339). Defaults to all logs. Only one of since-time / since may be used.
To display pod logs from the last week you can run the following command:
kubectl logs -n <pod_namespace (optional)> <pod name> --since 168h
Solution 3:[3]
AWK is an awesome tool in Unix/Linux systems for these types of logical operations
So, to display logs in between two-time ranges (ex: 10 AM to 11 AM):
Using
--since-timeandawkkubectl logs pod_name --since-time=2022-04-30T10:00:00Z | awk '$0 < "2022-04-30 11:00:00"'Using only
awkkubectl logs pod_name | awk '$0 > "2022-04-30 10:00:00"' | awk '$0 < "2022-04-30 11:00:00"'
Note: Please format date_time using in awk command based on the logs output.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | gohm'c |
| Solution 2 | Miko?aj G?odziak |
| Solution 3 | Mohan Munisifreddy |