Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Scripting with Unix Date - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Scripting with Unix Date

I have been "playing" with the date command for a while in various Unix shell scripts and found the following date options quite useful.

Setting Unix system date and time

  • November 13, 06:30 a.m., 2010 do the following: date 111306302010

Unix epoch time to regular time

  • date –d @1289524456 will provide a result of "Thu Nov 11 20:14:16 EST 2010"

Unix date to epoch time

  • date +%s -d “2010-11-03” will provide a result of 1288756800

Unix epoch time to print only the time Fri Sep 10 10:00:01 EDT 2010

  • date -d @1288310401 +%k:%M will provide a result of 20:00 hours

Print yesterday's date (today - 1) in the Year-Month-Day format

  • date --date "-1 days" +"%Y-%m-%d" will produce a result of 2010-11-10

Print last month's date (today - 1 month) in the Year-Month-Day format

  • date --date "-1 month" +"%Y-%m-%d" will produce a result of 2010-10-11

You can also check the Unix man pages to display other time/date combination. If you know other date "tricks" you would like to share, you can send them via our contact page and I will added them to this diary.

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Guy

427 Posts
ISC Handler
Instead of
date --date "-1 days" +"%Y-%m-%d"

try
date --date "yesterday" +"%Y-%m-%d"

It also understands "now" and "today".
Anonymous
Also, you can convert dates in other timezone to your local tz (EST in this example):

date --date "Thu Nov 11 21:23:34 PST 2010"
Fri Nov 12 00:23:34 EST 2010
Anonymous
Got any tips to convery raw log times to real date times.

What is 1234567890.123 equal to in real life. What is the conversion algorythem?
24/60/365 +1900 almost works, but I'm missing something.
Guido

2 Posts
Most of those command lines are NOT for any *Unix* 'date' command. They are for GNU 'date' which is used in most Linux distributions. That program is quite different from the POSIX standard, the SysV variants, and the BSD variants.

That matters a great deal with 'date' because the variations are many and they are sometimes dangerously incompatible. For example, the "-d" option with a non-zero argument in some BSD versions of 'date' sets the kernel DST flag. Because of those incompatibilities, if you write a script using 'date' that may end up on a system different from the one you wrote the script for, you should check which 'date' you have. If you want GNU date only, you can *probably* trust that it is the only variant that will accept "--version" as an option.
Anonymous
Most of those command lines are NOT for any *Unix* 'date' command. They are for GNU 'date' which is used in most Linux distributions. That program is quite different from the POSIX standard, the SysV variants, and the BSD variants.

That matters a great deal with 'date' because the variations are many and they are sometimes dangerously incompatible. For example, the "-d" option with a non-zero argument in some BSD versions of 'date' sets the kernel DST flag. Because of those incompatibilities, if you write a script using 'date' that may end up on a system different from the one you wrote the script for, you should check which 'date' you have. If you want GNU date only, you can *probably* trust that it is the only variant that will accept "--version" as an option.
Anonymous
Mikel: it *can* vary a great deal depending on what sort of "raw log" you are talking about.

However, most 10-digit numbers starting with '12' for times near the present are "Unix epoch" times, a count of seconds since 1970-01-01 00:00:00 UTC. Because it is actually quite complex to calculate that arithmetically (particularly given leap seconds...) most conversions from epoch to human use 'date' or similar tools and the system's collection of timezone and calendar data. To convert epoch to the default string format using FreeBSD/MacOS date:
$ date -j -f %s 1234567890
Fri Feb 13 18:31:30 EST 2009
GNU/Linux date:
$ date --date=@1234567890
Fri Feb 13 18:31:30 EST 2009

A 13-digit number or <10-digit>.<3-digit> is often composed of an epoch time and a millisecond count.
Anonymous
Just check the output of `ddate`...
Anonymous
I have a backup script which removes backup files based on date. I keep my personal backups for 2 weeks, so the command I use to determine the date is:
"date --date='2 weeks ago'" +%Y.%m.%d
but "date --date='-2 weeks'" +%Y.%m.%d would work just as well.
Anonymous
nevermind those double quotes. I put them in the wrong place...
Anonymous
You can also use the %F format specifier instead of +"%Y-%m-%d".

date --date "-1 days" +"%F"
Anonymous
Would be nice if GNU date received support for TAI64N..
Anonymous

Sign Up for Free or Log In to start participating in the conversation!