30 Essential Linux Command Combinations to Supercharge System Administration

System Monitoring & Resource Inspection

Quickly obtain CPU, memory and root‑filesystem usage in a single line:

top -b -n 1 | grep Cpu | awk '{print "CPU usage:" $2 "%"}' && \
free -h | grep Mem | awk '{print "Memory usage:" $3 "/" $2 " (" $7 " free)"}' && \
df -h | grep '/$' | awk '{print "Root FS usage:" $5 " (" $4 " free)"}'

Identify the top 10 processes that consume the most CPU:

ps -eo pid,ppid,%cpu,%mem,cmd --sort=-%cpu | head -10

Find files larger than 100 MiB (use +1G for gigabyte threshold):

find / -type f -size +100M 2>/dev/null | xargs du -sh | sort -hr

Average I/O wait time and the number of processes waiting for I/O (values >10 ms usually indicate an I/O bottleneck):

vmstat 1 5 | awk 'NR>1 {print "Avg I/O wait:" $16 "ms, Waiting processes:" $17}'

Real‑time monitoring of SSH login attempts (successful and failed):

tail -f /var/log/messages | \
  grep --line-buffered "ssh" | \
  awk '/Accepted/ {print "Login success:" $0} /Failed/ {print "Login failure:" $0}'

Count failed SSH attempts within a specific time window (adjust timestamps as needed):

sed -n '/2025-09-08 14:00:00/,/2025-09-08 14:30:00/p' /var/log/tomcat/catalina.out | grep "Exception"

Log Analysis & Data Extraction

Count error lines for a given date (modify the date pattern to match your log format):

grep -i "error" /var/log/nginx/error.log | grep -E "2025-09-08" | wc -l

Show the top 10 URLs that returned HTTP 500, together with the client IP and request count:

grep "500" /var/log/nginx/access.log | \
awk '{print $1,$7,$9}' | sort | uniq -c | sort -nr | head -10

Search a compressed log file without decompressing (use bzgrep for .bz2 files):

zgrep "timeout" /var/log/nginx/access.log-20250907.gz | wc -l

File Management & Batch Operations

Delete backup archives older than 7 days (replace -mtime +7 with -atime to use access time):

find /data/backup -name "*.tar.gz" -mtime +7 -exec rm -f {} \;

Add a YYYYMMDD suffix to every .log file in a directory (use date +%Y%m%d%H%M for a timestamp including hour and minute):

for file in /data/logs/*.log; do mv "$file" "$file.$(date +%Y%m%d)"; done

Replace an old IP address in all .conf files under /etc/config (escape special characters if the pattern contains /):

sed -i 's/old_ip=192\.168\.1\.10/old_ip=192\.168\.1\.20/g' /etc/config/*.conf

Create a tarball of /data/app while excluding the logs sub‑directory and embed the current date in the archive name:

tar -zcvf /data/backup/app_$(date +%Y%m%d).tar.gz /data/app --exclude=/data/app/logs

Copy all backup archives to a remote host (use SSH keys for password‑less transfer; for large files rsync -avz is recommended):

scp -r /data/backup/*.tar.gz [email protected]:/data/remote_backup/

Filter user records that are not present in a blacklist (adjust field numbers if the IP column differs):

awk 'NR==FNR{a[$1];next} !($2 in a)' /data/blacklist.txt /data/user.txt

Process & Service Management

Show the status of the nginx service (active/inactive/failed) and the last 20 log lines from the past 10 minutes:

systemctl status nginx | grep -E "active|inactive|failed" && \
journalctl -u nginx --since "10 minutes ago" | tail -20

Force‑kill every Java process (add a more specific pattern such as grep "app.jar" to avoid terminating unrelated Java services):

ps -ef | grep java | grep -v grep | awk '{print $2}' | xargs kill -9

Run a script in the background, redirecting both stdout and stderr to a log file (ensure the log directory exists):

nohup /data/app/start.sh > /data/logs/app.log 2>&1 &

Keep a Java application alive via a cron entry (runs every 5 minutes):

*/5 * * * * pgrep -f "app.jar" || /data/app/start.sh

Network Connectivity & Fault Diagnosis

Check whether port 8080 is listening (install net-tools if netstat is missing): netstat -tulnp | grep :8080 Test TCP connectivity to a MySQL server; if telnet is unavailable, use nc -zv:

telnet 192.168.1.200 3306 || echo "MySQL port unreachable"

Trace the route to a remote gateway and output hop number, IP and latency:

traceroute 10.0.0.1 | grep -E "^[0-9]+" | awk '{print "Hop:" $1 " IP:" $2 " Latency:" $3}'

List the top 10 client IPs that have the most active TCP connections on port 80 (use ss for better performance on busy servers):

ss -antp | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -10

Permission & Security Auditing

Find world‑writable regular files (mode 777) under a given directory (replace 777 with -4000 to locate SUID binaries): find /data/app -perm 777 -type f 2>/dev/null Display ACL entries for a directory to see per‑user or per‑group permissions that are not visible with ls -l: getfacl /data/app | grep -E "user:|group:" Show the last login time for all users that have logged in at least once: lastlog | grep -v "Never logged in" Search the root user's command history for potentially dangerous operations (add export HISTTIMEFORMAT="%F %T " to record timestamps):

grep -E "rm -rf|chmod|chown" /root/.bash_history | tail -20

Core Principles for Command Composition

Combine as needed: Think in terms of a data flow (e.g., find → du → sort) rather than isolated commands.

Test before bulk execution: Replace destructive actions ( rm -f) with safe ones ( ls -l) to verify the target set.

Use pipelines: The pipe operator ( |) passes the output of one command directly to the next, enabling powerful one‑liners.

Remember key parameters: For find remember -name, -size, -mtime; for awk remember -F (field separator) and $n (field number).

These 30 command combinations cover the most common scenarios in Linux system administration. When a new problem arises, start from the basic utilities ( grep, awk, sed, find, ss) and build a pipeline that filters, transforms and aggregates the data you need.