20 Powerful Shell Commands to Master Log File Analysis
This guide presents twenty essential shell one‑liners—using awk, grep, sort, uniq, and netstat—to quickly count unique IPs, identify hot pages, filter bots, monitor Apache processes, and measure traffic, helping sysadmins and security analysts extract actionable insights from web server logs.
The article shares a collection of twenty practical shell commands for analyzing web server log files, enabling administrators to uncover traffic patterns, detect potential attacks, and monitor system performance.
1. Count unique IP addresses
awk '{print $1}' log_file | sort | uniq | wc -l2. Count accesses to a specific page
grep "/index.php" log_file | wc -l3. Count pages visited per IP
awk '{++S[$1]} END {for (a in S) print a, S[a]}' log_file > log.txt
sort -n -t ' ' -k2 log.txt4. Sort IPs by number of pages visited
awk '{++S[$1]} END {for (a in S) print S[a], a}' log_file | sort -n5. List pages accessed by a specific IP
grep ^111.111.111.111 log_file | awk '{print $1, $7}'6. Exclude search‑engine crawlers
awk '{print $12, $1}' log_file | grep ^"Mozilla" | awk '{print $2}' | sort | uniq | wc -l7. Count IPs that accessed during a specific hour
awk '{print $4, $1}' log_file | grep 16/Aug/2015:14 | awk '{print $2}' | sort | uniq | wc -l8. Top 10 IPs by request count
awk '{print $1}' log_file | sort | uniq -c | sort -nr | head -109. Top 10 most requested files or pages
cat log_file | awk '{print $11}' | sort | uniq -c | sort -nr | head -1010. Top 20 URLs by sub‑domain (using referer)
cat access.log | awk '{print $11}' | sed -e 's/http:\/\///' -e 's/\/.*//' | sort | uniq -c | sort -nr | head -2011. Largest transferred files
cat www.access.log | awk '($10 > 200000 && $7~/\.php/){print $7}' | sort -n | uniq -c | sort -nr | head -10012. Pages larger than 200 KB and their frequencies
cat www.access.log | awk '($10 > 200000 && $7~/\.php/){print $7}' | sort -n | uniq -c | sort -nr | head -10013. Slowest PHP pages (duration > 60 s)
cat www.access.log | awk '($NF > 60 && $7~/\.php/){print $7}' | sort -n | uniq -c | sort -nr | head -10014. Pages with response time > 30 s
cat www.access.log | awk '($NF > 30){print $7}' | sort -n | uniq -c | sort -nr | head -2015. Process count per service
ps -ef | awk -F ' ' '{print $8 " " $9}' | sort | uniq -c | sort -nr | head -2016. Current Apache concurrent connections
netstat -an | grep ESTABLISHED | wc -l17. Compare with MaxClients setting
netstat -an | grep ESTABLISHED | wc -l18. Count Apache processes handling requests
ps -ef | grep httpd | wc -l19. Total 80‑port connections
netstat -nat | grep -i "80" | wc -l20. Detailed TCP state statistics
netstat -n | awk '/^tcp/ {++S[$NF]} END {for (a in S) print a, S[a]}'These commands can be combined, filtered, and piped to generate custom reports such as the most active IPs, busiest URLs on a given day, bandwidth usage, HTTP status distribution, and connection state summaries, providing a solid foundation for log‑driven troubleshooting and security monitoring.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.