Hello.
Is there a way to print log records for last, say, 5 minutes? I can’t find how to compare time in routeros…
/log print where time > …
Try this:
/log print where time>([/system clock get time] - 5m)
Wow, it works, thanks a lot!
YW 
ros code
/log print where time>([/system clock get time] - 5m)
The above code seems doesn’t work on 6.47.7 , anyone have the solution ?
Thanks!
Works fine on my 6.47.7, but if there are no log last 5 min you do not get anything.
PS this will not work 4 min past midnight, since date/time format changes for events.
MT should change to use RFC-3164 time format everywhere.
PS2, to handle lots of log, see mye Splunk fro Mikrotik, see my signature.
Hi Jotne, Thanks for the reply !
This is weird ! See below. It doesn’t work on mine.
nov/14 21:09:57 system,info,account user brg3466 logged in from 192.168.3.25 via telnet
nov/14 21:16:04 system,info,account user brg3466 logged out from 192.168.3.25 via telnet
nov/14 21:18:14 system,info changed script settings by brg3466
nov/14 22:29:03 interface,info ether3 link down
nov/14 22:29:32 system,info,account user brg3466 logged out from 192.168.3.25 via winbox
nov/14 22:29:32 system,info,account user brg3466 logged out from 192.168.3.25 via telnet
nov/14 22:29:32 system,info,account user brg3466 logged out from 192.168.3.25 via telnet
nov/14 22:36:46 dhcp,info defconf deassigned 192.168.3.25 from FC:AA:14:DA:E1:62
nov/14 22:44:44 interface,info ether3 link up (speed 1G, full duplex)
nov/14 22:44:49 dhcp,info defconf assigned 192.168.3.25 to FC:AA:14:DA:E1:62
nov/14 22:46:37 system,info,account user brg3466 logged in from 192.168.3.25 via winbox
nov/14 22:46:37 system,info,account user brg3466 logged in from 192.168.3.25 via telnet
nov/14 22:46:37 system,info,account user brg3466 logged in from 192.168.3.25 via telnet
nov/14 22:47:05 system,info,account user brg3466 logged out from 192.168.3.25 via telnet
[brg3466@MikroTik] > /log pr where time>([/system clock get time]-15m)
[brg3466@MikroTik] > :put [/system clock get time]
22:51:21
[brg3466@MikroTik] >
Works fine on my RB3011 running 6.47.7 “Stable” too !
Not sure why you see month data in front of the log.
This only work on current day when line logs in this format: ( current day)
10:40:27 dhcp,warning DHCP-Guest offering lease 192.1168.20.171 for 0C:2F:B0:95:BC:D6 without success
So add RFC-3164, and it will be solved.
The routerOS acts funny. The problem yesterday was the format of the log. This morning, when i run the CLI again, it works. And as you said, the current day log only shows the time.
No idea what happened yesterday. 
nov/14 23:24:47 system,info,account user brg3466 logged out from 192.168.3.25 via winbox
nov/14 23:24:47 system,info,account user brg3466 logged out from 192.168.3.25 via telnet
00:10:40 interface,info ether3 link down
00:19:50 dhcp,info defconf deassigned 192.168.3.25 from FC:AA:14:DA:E1:62
03:10:43 interface,info ether3 link up (speed 1G, full duplex)
03:10:44 interface,info ether3 link down
10:01:25 interface,info ether3 link up (speed 100M, full duplex)
10:01:41 interface,info ether3 link down
10:01:44 interface,info ether3 link up (speed 1G, full duplex)
10:01:50 dhcp,info defconf assigned 192.168.3.25 to FC:AA:14:DA:E1:62
10:07:40 system,info,account user brg3466 logged in from 192.168.3.25 via winbox
10:07:43 system,info,account user brg3466 logged in from 192.168.3.25 via telnet
[brg3466@MikroTik] > /log pr where time>([/system clock get time]-15m)
10:01:25 interface,info ether3 link up (speed 100M, full duplex)
10:01:41 interface,info ether3 link down
10:01:44 interface,info ether3 link up (speed 1G, full duplex)
10:01:50 dhcp,info defconf assigned 192.168.3.25 to FC:AA:14:DA:E1:62
10:07:40 system,info,account user brg3466 logged in from 192.168.3.25 via winbox
10:07:43 system,info,account user brg3466 logged in from 192.168.3.25 via telnet
Hi , I found something else.
As long as the today’s date/time format includes date, the script doesn’t work. If the today’s log only show time, then it works.
Question: why today’s log sometimes show date and sometimes not ? below it shows date again. But this morning, there was no date, only time.
[brg3466@MikroTik] > :put [/system clock get date]
nov/15/2020
[brg3466@MikroTik] > :put [/system clock get time]
18:29:35
[brg3466@MikroTik] > log pr
nov/15 18:25:02 system,info,account user brg3466 logged out from 192.168.3.25 via winbox
nov/15 18:25:33 system,info,account user brg3466 logged in from 192.168.3.25 via winbox
nov/15 18:25:35 system,info,account user brg3466 logged in from 192.168.3.25 via telnet
nov/15 18:26:15 system,info,account user brg3466 logged out from 192.168.3.25 via telnet
nov/15 18:26:31 system,info,account user brg3466 logged in from 192.168.3.25 via telnet
nov/15 18:27:20 system,info log action changed by brg3466
nov/15 18:27:29 system,info,account user brg3466 logged out from 192.168.3.25 via telnet
nov/15 18:27:37 system,info log action changed by brg3466
nov/15 18:27:49 system,info,account user brg3466 logged in from 192.168.3.25 via telnet
nov/15 18:29:16 system,info log action changed by brg3466
[brg3466@MikroTik] >
In 7.17.2 this does not only print log lines from last 5 minutes. It prints everything from many hours ago and even more. How it can be done in v7?
On log “time” is everyTIME one string of 4 diffferent formats, do not work “-5” everyTIME, just when time format is hh:mm:ss.
http://forum.mikrotik.com/t/rextended-fragments-of-snippets/151033/1
This is because the “time” property in the log section is now of type “string” only. Convert the property to type “time” before comparing them with other time values:
/log print where (([:timestamp]+([/system clock get gmt-offset]."s"))-[:totime (time)]) <= 5m
Additional examples how to filter logs by time using current RouterOS versions see this topic: How to filter logging time 24 hours ago and topics=ppp and message=connected in log.0.txt
Regards @colinardo