BestHub
Sign in
Operations 8 min read

Master Linux Log Analysis: Tail, Grep, Sed, Awk & Less Commands for Real‑World Debugging

This guide shows backend engineers and ops teams how to efficiently inspect large production logs using Linux utilities such as tail, less, grep, sed, and awk, with concrete command examples for service start‑up monitoring, bug reproduction, trace‑ID tracing, error context extraction, and statistical analysis.

Su San Talks Tech
Su San Talks Tech
Su San Talks Tech
Master Linux Log Analysis: Tail, Grep, Sed, Awk & Less Commands for Real‑World Debugging

tail

For large log files, cat can flood the terminal; tail provides real‑time monitoring.

Scenario A – Service start‑up monitoring

# -f (follow): continuously display new lines
 tail -f logs/application.log

Scenario B – Test‑driven bug reproduction

Only the latest output is needed, ignoring history.

# Show last 200 lines and follow updates
 tail -n 200 -f logs/application.log

less

less

loads files on demand, making it suitable for browsing multi‑gigabyte logs without exhausting memory.

Scenario – Investigating a failed order

Search backwards from the end of the log for a specific order ID. less logs/application.log Press Shift+G to jump to the end.

Enter ?ORD12345678 to search upwards.

Press n to find previous matches.

Use Shift+F for a live‑follow mode similar to tail -f, and Ctrl+C to return to browsing.

grep

grep

is the most common search tool, but simple keyword matching often isn’t enough.

Scenario A – Reconstructing an error context

# Show the matching line plus 20 lines of context
 grep -C 20 "NullPointerException" logs/application.log

Scenario B – Full‑trace ID search

# Search all rotated log files for a TraceId
 grep "TraceId-20251219001" logs/app.log*

Scenario C – Counting exception occurrences

# Count matching lines only
 grep -c "RedisConnectionException" logs/application.log

Scenario D – Excluding noisy logs

# Exclude lines containing "HealthCheck"
 grep -v "HealthCheck" logs/application.log

sed

When a log is huge (e.g., 10 GB) and the incident time window is known, sed can extract that slice without downloading the whole file.

# Extract lines between start and end timestamps
 sed -n '/2025-12-19 14:00/,/2025-12-19 14:05/p' logs/application.log > error_segment.log

The resulting error_segment.log is a small, focused file for further analysis.

awk

awk

excels at column‑wise processing, useful for structured logs such as Nginx access logs.

Scenario A – Finding malicious IPs

# Extract IP column, sort, count, and show top 10
 awk '{print $1}' access.log | sort | uniq -c | sort -nr | head -n 10

Scenario B – Identifying slow endpoints

# Print URL (field 7) and response time (last field) > 1 s
 awk '$NF > 1.000 {print $7, $NF}' access.log

Conclusion

These command‑line snippets cover common production‑debugging scenarios; keeping them handy enables quick, copy‑and‑paste solutions when logs become overwhelming.

Linuxlog analysisgrepawktailsed
Su San Talks Tech
Written by

Su San Talks Tech

Su San, former staff at several leading tech companies, is a top creator on Juejin and a premium creator on CSDN, and runs the free coding practice site www.susan.net.cn.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment