I have a string timestamp key I need to convert to a number because strftime throws an error that it needs to be a number.
journalctl -n1 --output=json | jq '.__REALTIME_TIMESTAMP | tonumber |= (. / 1000 | strftime("%Y-%m-%d")), .MESSAGE'
but I get invalid path expression errors. I assume I don't have the syntax down right.
I ultimately want to display key __REALTIME_TIMESTAMP in human readable format and key MESSAGE.
I'm not sure what your intention with |= is here.
It could work like this:
$ journalctl -n1 --output=json |
jq '(.__REALTIME_TIMESTAMP | tonumber/1000000 | strftime("%Y-%m-%d %H:%M:%S")), .MESSAGE'
"2023-11-11 21:44:27"
"[session uid=1000 pid=1420] Activation via systemd failed for unit 'gvfs-daemon.service': Unit gvfs-daemon.service is masked."
Or formatted / raw output:
$ journalctl -n1 --output=json |
jq -r '(.__REALTIME_TIMESTAMP | tonumber/1000000 | strftime("[%Y-%m-%d %H:%M:%S]: ")) + .MESSAGE'
[2023-11-11 21:44:27]: [session uid=1000 pid=1420] Activation via systemd failed for unit 'gvfs-daemon.service': Unit gvfs-daemon.service is masked.
.thing |= tonumber (the same as .thing = (.thing | tonumber)).
– Kusalananda
Nov 11 '23 at 22:13
strflocaltime("%F %T %Z") would give you the same output format for the timestamp as with in the short-full format from journalctl, and using that with the message in an array passed through @tsv would give you nice tab-delimited output that would allow you to easily post-process the messages afterwards by message or by human-readable timestamp. The only difference between that and the short-full format would be the exclusion of the systemd service name and the fact that the two fields woul be tab-delimited.
– Kusalananda
Nov 12 '23 at 06:42
journalctl -n1 --output=json)? You can't modify the result oftonumberwith|=(the left-hand side of that operator must be a path within the document). – Kusalananda Nov 11 '23 at 22:00