Sign in Subscribe
Scanning Logs after an event
code

Scanning Logs after an event

A quick rundown on how to do a post-mortem after a traffic spike

The Lad 2 min read
Read More

The Lad

2 min read
Older Post

The Problem

You get a traffic spike alert with timestamps in your local timezone (PDT or PST), but your access.log entries are in UTC. Here's how to quickly convert and grep the right window.

PDT / PST → UTC One-Liner

Pacific Daylight Time (PDT) is UTC−7. Pacific Standard Time (PST) is UTC−8.

Convert a local time to UTC right in your terminal:

# Linux (GNU date)
# PDT (UTC-7) → UTC: e.g. 4:52 AM PDT → 11:52 AM UTC
date -d "4:52 AM PDT" -u +"%H:%M"

# PST (UTC-8) → UTC: e.g. 4:52 AM PST → 12:52 PM UTC
date -d "4:52 AM PST" -u +"%H:%M"

macOS ships with BSD date, which doesn't support -d. Use Python instead — no install needed:

# macOS — PDT (UTC-7) to UTC
python3 -c "
from datetime import datetime, timezone, timedelta
t = datetime.now().replace(hour=4, minute=52, tzinfo=timezone(timedelta(hours=-7)))
print(t.astimezone(timezone.utc).strftime('%H:%M'))
"
# → 11:52

# macOS — PST (UTC-8) to UTC
python3 -c "
from datetime import datetime, timezone, timedelta
t = datetime.now().replace(hour=4, minute=52, tzinfo=timezone(timedelta(hours=-8)))
print(t.astimezone(timezone.utc).strftime('%H:%M'))
"
# → 12:52

Or install GNU coreutils via Homebrew to get the Linux-style date:

brew install coreutils
# then use gdate instead of date:
gdate -d "4:52 AM PDT" -u +"%H:%M"

Grep the Access Log for a Time Window

Once you have the UTC time, grep for a range using a regex character class on the minutes:

# Match 11:32 through 11:39 UTC
grep -E "11:3[2-9]:" /var/log/nginx-proxy/access.log

# Match 11:32 through 11:45 UTC (spanning tens digit)
grep -E "11:(3[2-9]|4[0-5]):" /var/log/nginx-proxy/access.log

# Match an entire hour (11:00–11:59)
grep -E "11:[0-5][0-9]:" /var/log/nginx-proxy/access.log

Full Workflow Example

You get a Slack alert at 4:52 AM PDT. Here's the full flow:

# Step 1: find the UTC equivalent (macOS)
$ python3 -c "
from datetime import datetime, timezone, timedelta
t = datetime.now().replace(hour=4, minute=52, tzinfo=timezone(timedelta(hours=-7)))
print(t.astimezone(timezone.utc).strftime('%H:%M'))
"
11:52

# Step 2: grep a ±5 minute window around 11:52 UTC
grep -E "11:(4[7-9]|5[0-7]):" /var/log/nginx-proxy/access.log

Quick Reference

  • PDT (summer): add 7 hours → 4:52 AM + 7 = 11:52 UTC
  • PST (winter): add 8 hours → 4:52 AM + 8 = 12:52 UTC
  • When the result exceeds 24:00, subtract 24 and it's the next UTC day
  • macOS date is BSD — use Python or gdate (Homebrew) instead of date -d