Master 10 Essential Linux Commands and Powerful Combinations for Everyday Ops

Core Linux Commands (by frequency)

1. grep – text search

# Basic search
grep "error" logfile.txt

# Recursive search in a directory tree
grep -r "Connection refused" /var/log/

# Show 2 lines before and after each match
grep -B2 -A2 "critical" app.log

# Extract IPv4 addresses and count occurrences
grep -oE "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" access.log | sort | uniq -c

2. find – file discovery

# Files modified in the last 24 hours
find /home -type f -mtime -1

# Delete log files older than 7 days
find /tmp -name "*.log" -type f -mtime +7 -delete

# Pack all *.conf files under /etc into a tarball
find /etc -name "*.conf" -type f | tar -czf conf_backup.tar.gz -T -

# List the 20 largest regular files (size >100 MiB)
find / -type f -size +100M 2>/dev/null | head -20

3. awk – column‑oriented text processing

# Print the 3rd column of ps output (CPU usage)
ps aux | awk '{print $3}'

# Show processes whose CPU usage exceeds 1 %
ps aux | awk '$3 > 1.0 {print $0}'

# Sum directory sizes (in MB)
du -sk * | awk '{sum += $1} END {print sum/1024 " MB"}'

# Simple /etc/passwd parsing
awk -F: '{print "User:", $1, "Shell:", $7}' /etc/passwd

4. sed – stream editor

# Global substitution
sed 's/old/new/g' file.txt

# Delete empty lines
sed '/^$/d' file.txt

# In‑place edit with backup (macOS syntax shown)
sed -i.bak 's/foo/bar/' config.ini

# Print lines 10‑20
sed -n '10,20p' large_file.log

5. ssh / scp – remote management

# Install password‑less login
ssh-copy-id user@remote-server

# Execute a remote command chain
ssh user@host "df -h && free -m"

# Local‑to‑remote port forwarding (8080 → remote 80)
ssh -L 8080:localhost:80 user@gateway

# Accelerated copy with compression and strong cipher
scp -C -c aes256-gcm.com source.txt user@host:/path/

6. systemctl – service control

# Show service status with full logs
systemctl status nginx -l

# Follow journal entries for a unit
journalctl -u nginx -f

# Restart without blocking dependent units
systemctl restart nginx --no-block

# Display the complete unit file
systemctl cat nginx

7. ss / netstat – network diagnostics

# Listening sockets with owning processes
ss -tulpn | grep LISTEN

# Identify the process using port 80
sudo lsof -i :80

# Refresh connection summary every second
watch -n 1 'ss -s'

# Count TCP states
netstat -ant | awk '/^tcp/ {++S[$NF]} END {for (s in S) print s, S[s]}'

8. tar – archiving & compression

# Smart compression (auto‑select algorithm)
tar -caf archive.tar.xz /path/to/dir

# Incremental backup using a snapshot file
tar -g snapshot.snar -czf backup-$(date +%F).tar.gz /data

# Exclude temporary files and cache directories
tar --exclude='*.tmp' --exclude='cache/*' -czf backup.tar.gz /app

# Parallel compression with pigz (8 threads)
tar -cf - /bigdir | pigz -p 8 > backup.tar.gz

9. rsync – fast synchronization & backup

# Incremental sync preserving permissions
rsync -avz --delete /source/ user@host:/backup/

# Resume large file transfer with progress bar
rsync -avzP --append /large/file user@host:/path/

# Differential backup using hard‑link copies
rsync -av --link-dest=/backup/yesterday /source/ /backup/today/

# Bandwidth limit to avoid saturating the link
rsync --bwlimit=10000 -av /data/ remote:/backup/

10. jq – JSON manipulation

# Pretty‑print JSON from an API
curl -s https://api.example.com/data | jq '.'

# Extract a single field
cat config.json | jq '.database.host'

# Filter array items (e.g., users older than 18)
curl -s https://api.example.com/users | jq '.[] | select(.age > 18)'

# Add a new key/value pair
jq '. + {"version": "1.0"}' old.json > new.json

Practical Combination Scenarios

Scenario 1 – Fast fault diagnosis

# One‑liner log tail with colour‑highlighted errors
tail -f /var/log/app.log | grep -E "(ERROR|CRITICAL)" --color=auto

# Simultaneous CPU and memory snapshot refreshed every second
watch -n 1 'echo "CPU:" $(top -bn1 | grep "Cpu(s)") && echo "Memory:" $(free -h)'

Scenario 2 – Bulk file operations

# Rename all *.txt files to *.bak in the current tree
find . -name "*.txt" -exec rename 's/\.txt$/.bak/' {} \;

# Replace a domain name across many configuration files
grep -rl "old.domain.com" /etc/nginx/ | xargs sed -i 's/old.domain.com/new.domain.com/g'

Scenario 3 – Monitoring & alert script

#!/bin/bash
THRESHOLD=90
USAGE=$(df / | awk 'NR==2 {print $5}' | sed 's/%//')
[ $USAGE -gt $THRESHOLD ] && echo "Warning: Disk usage $USAGE%" | mail -s "Disk Alert" [email protected]

# Restart nginx if it is not running
pgrep nginx || systemctl restart nginx && logger "Nginx was down, restarted"

Scenario 4 – Data‑driven report

# Top 20 client IPs by request count
awk '{print $1}' access.log | sort | uniq -c | sort -nr | head -20

# Hourly API request volume
grep "API请求" app.log | awk '{print $2}' | cut -d: -f1 | uniq -c

Efficiency‑Boost Tips

Alias shortcuts (add to ~/.bashrc)

alias ll='ls -laFh'
alias ports='ss -tulpn'
alias logs='tail -f /var/log/syslog'
alias myip='curl ifconfig.me'
alias h='history | grep'

Command‑history tuning

export HISTSIZE=10000
export HISTTIMEFORMAT="%F %T "
export PROMPT_COMMAND='history -a'   # write each command immediately

Safe‑operation habits

# Interactive confirmations for destructive commands
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
# Use safe‑rm if it is installed
which safe-rm && alias rm='safe-rm'

Quick directory jumps

# Define a marks directory
export MARKPATH=$HOME/.marks
function jump { cd -P "$MARKPATH/$1" 2>/dev/null || echo "Mark not found"; }
function mark { mkdir -p "$MARKPATH"; ln -s "$(pwd)" "$MARKPATH/$1"; }
function unmark { rm -i "$MARKPATH/$1"; }
function marks { ls -l "$MARKPATH" | sed 's/  / /g' | cut -d' ' -f9-; }

Additional High‑Frequency Tools

htop / atop – interactive process viewer

htop

Provides a colour‑rich, scrollable view of processes and allows direct kill or renice actions.

pidstat – per‑process resource spikes

# CPU usage every second, 5 samples
pidstat -u 1 5
# Memory usage
pidstat -r 1 5
# I/O statistics
pidstat -d 1 5

strace – system‑call tracing

# Attach to a running process
strace -p 12345
# Trace only read/write syscalls
strace -p 12345 -e trace=read,write
# Record a full trace of a program
strace -f -o trace.log ./app

xargs / GNU parallel – safe bulk execution

# Correctly handle filenames containing spaces
find . -type f -print0 | xargs -0 rm

# Limit concurrency to 4 jobs
xargs -P 4 -n 1 command

# Parallel copy with GNU parallel (8 concurrent scp)
parallel -j 8 scp {} user@host:/data ::: *.log

Production‑grade shell script patterns

# Strict mode (fail fast, catch undefined variables, propagate pipe failures)
set -euo pipefail

# Redirect all output to a log file and acquire an exclusive lock
exec >>/var/log/backup.log 2>&1
flock -n /tmp/backup.lock || exit 1

# Protect long‑running commands with a timeout
timeout 60 rsync -av /data /backup

Security & Production Habits

sudo best practice

# Disable direct root SSH login (in /etc/ssh/sshd_config)
PermitRootLogin no

Dry‑run before destructive actions

# rsync dry‑run to verify file list
rsync -av --delete --dry-run /src /dst

# Echo delete commands before actually removing files
find . -name "*.log" -exec echo rm {} \;

One‑Line Operations Snapshot

# System health overview
uptime; free -h; df -h; ss -s

# Top CPU consumers
ps aux --sort=-%cpu | head

# Top memory consumers
ps aux --sort=-%mem | head

Linux’s power lies not in the sheer number of commands but in the ability to combine them effectively.

Mastering pipelines such as grep + awk + sort turns raw logs into actionable insights; find + xargs + sed enables safe bulk configuration changes; strace, lsof and pidstat provide deep visibility when monitoring is unavailable; and disciplined scripting with set -euo pipefail prevents night‑time surprises.