SquidAnalyzer.current file generating error

Question

SquidAnalyzer.current file generating error

cvItvre opened this issue 6 years ago · 6 comments

When I run squidanalyzer more than once, this error appears:

this file will not be parsed: /var/log/squid/access.log, line after offset is older than expected: 1559305827.287 < 1559316567.287.

Looking at the SquidAnalyzer.current file we have:

1559316567.287 39991429

Every time I run squidanalyzer, the time in the SquidAnalyzer.current file is always greater than the time in the access.log file. So I have to delete the SquidAnalyzer.current file and run squidanalyzer again. Why is this happening? How does this file work? When I delete and run, all my logs need to be parsed again and it takes a lot of time. How do I fix that?

Answer 1 · 2019-05-31T19:38:57.000Z

What is the format of your access.log? native, common or combined?

Answer 2 · 2019-06-03T13:23:17.000Z

I think it's in native format, bellow u can see a line from the access.log file.

1559121904.856 1 10.181.51.142 TCP_DENIED/403 1158 CONNECT splunk-heavyforwarder-public.vtex.com:8088 - HIER_NONE/- text/html

Answer 3 · 2019-06-08T09:15:07.000Z

I guess that you are using latest development code and you have TimeZone commented out in your configuration file. If you look at your access.log file at offset 39991429, the next line might have a time older than the history time. Using vi you can move to the offset using: :goto 39991429

Answer 4 · 2019-06-11T11:38:47.000Z

I tested with various log files and in all tests the number in the SquidAnalyzer.current file is the last character of the last line. There is no line after it.

Answer 5 · 2019-07-09T11:22:29.000Z

Please upgrade to latest development code I have just fixed an other problem with timezone.

Answer 6 · 2019-07-19T10:42:50.000Z

OK, i'll do that, ty.