Essential Shell Commands for Analyzing Apache Access Logs
A comprehensive collection of awk, grep, sort, and netstat one‑liners that help you count unique IPs, rank pages by hits, filter by time ranges, identify slow requests, and monitor connection states directly from Apache log files.
This guide provides a toolbox of command‑line snippets for extracting valuable metrics from Apache access logs.
Basic IP and page statistics
awk '{print $1}' log_file | sort | uniq | wc -l– count distinct IP addresses. grep "/index.php" log_file | wc -l – count accesses to a specific page.
awk '{++S[$1]} END {for (a in S) print a, S[a]}' log_file | sort -k2 -n– list each IP with the number of pages it requested.
awk '{++S[$1]} END {for (a in S) print S[a], a}' log_file | sort -n– sort IPs by request count.
Advanced filtering and sorting
Show pages requested by a particular IP: grep ^111.111.111.111 log_file | awk '{print $1, $7}' Exclude search‑engine crawlers:
awk '{print $12,$1}' log_file | grep '^"Mozilla' | awk '{print $2}' | sort | uniq | wc -lCount requests within a specific hour (e.g., 14:00 on 16 Aug 2015):
awk '{print $4,$1}' log_file | grep 16/Aug/2015:14 | awk '{print $2}' | sort | uniq | wc -lTop‑N analyses
Top 10 IPs by request volume:
awk '{print $1}' access_log | sort | uniq -c | sort -nr | head -10Top 10 most requested URLs:
awk '{print $11}' log_file | sort | uniq -c | sort -nr | head -10Top 20 IPs by total traffic (bytes transferred):
awk '{print $11}' log_file | sort | uniq -c | sort -nr | head -20Performance‑related queries
Pages with transfer size >200 KB:
awk '($10>200000 && $7~/\.php/){print $7}' log_file | sort | uniq -c | sort -nr | head -100Requests taking more than 60 seconds:
awk '($NF>60 && $7~/\.php/){print $7}' log_file | sort | uniq -c | sort -nr | head -100HTTP status code distribution:
awk '{counts[$9]++} END {for (code in counts) print code, counts[code]}' access.logNetwork connection monitoring
Current ESTABLISHED connections on port 80: netstat -an | grep ESTABLISHED | wc -l Count connections per TCP state:
netstat -n | awk '/^tcp/ {++S[$NF]} END {for (a in S) print a, S[a]}'Top IPs with most TIME_WAIT sockets:
netstat -n | grep TIME_WAIT | awk '{print $5}' | sort | uniq -c | sort -rn | head -20These snippets can be combined, piped, or adapted to specific log formats, enabling quick diagnostics of traffic patterns, bottlenecks, and potential abuse without requiring additional tools.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.