On Wed, Oct 02, 2013 at 02:42:55AM -0700, David Strauss wrote: > On Wed, Oct 2, 2013 at 2:04 AM, Manuel Reimer > <[email protected]> wrote: > > Another option seems to be to store a timestamp in memory and use --since. > > Maybe this is even more error proof as a cursor could maybe get invalid if > > the log really exceeds my 1M limit. > > If your cursor's invalid, that probably means you've missed some > items. That might be worth knowing rather than silently handling. You > can always fall back to fetching all if the cursor has rolled out of > memory. I'm pretty sure that if a cursor has rolled out of memory, --after-cursor will still do the right thing, i.e. show all logs.
Timestamps are not as good, because of time jumps. --show-cursor and --after-cursor were designed pretty much for this usecase, so they *should* work for you, and if they don't, that's a bug to fix. To make the approach explicit: the idea is that you do 'journalctl --show-cursor', tee the output to gzip, and also grep for '^-- cursor: ' and record the cursor and then use it with --after-cursor in the next round. Zbyszek _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
