Master Linux Log Analysis: Tail, Less, Grep, Sed & Awk for Fast Debugging
This guide shows practical Linux commands—tail, less, grep, sed, and awk—illustrated with real‑world scenarios to help backend developers quickly monitor, search, filter, and extract log data during production incidents.
When a production alert appears, large log files (e.g., 2 GB) can overwhelm simple cat output, making it hard to locate issues. Backend developers need to master Linux log‑analysis tools such as tail, less, grep, sed, and awk to troubleshoot efficiently.
tail
For real‑time monitoring of growing logs, tail -f streams new lines without freezing the terminal. Example for service start‑up monitoring:
# -f (follow): show appended content in real time
tail -f logs/application.logWhen only the latest 200 lines are needed during a test, combine -n with -f:
# Show last 200 lines and keep following
tail -n 200 -f logs/application.logless
lessloads files on demand, allowing smooth navigation of multi‑gigabyte logs. To find a specific order ID in a complaint case: less logs/application.log Press Shift+G to jump to the end.
Enter ?ORD12345678 to search upward.
Press n to find previous matches.
Use Shift+F for a live‑follow mode similar to tail -f, and Ctrl+C to return to browsing.
grep
grepis the go‑to keyword search, but real‑world debugging often requires context, counting, or exclusion.
Context search: Show 20 lines before and after a NullPointerException.
# Show 20 lines of context
grep -C 20 "NullPointerException" logs/application.logTraceId across rotated logs:
# Search all app.log* files
grep "TraceId-20251219001" logs/app.log*Count occurrences: How many Redis timeout exceptions?
# Count matching lines
grep -c "RedisConnectionException" logs/application.logExclude noise: Hide health‑check INFO lines.
# Invert match to exclude "HealthCheck"
grep -v "HealthCheck" logs/application.logsed
When logs are huge (e.g., 10 GB) and you know the incident window, sed can extract that time slice.
# Extract logs between 14:00 and 14:05
sed -n '/2025-12-19 14:00/,/2025-12-19 14:05/p' logs/application.log > error_segment.logThe resulting error_segment.log is a small, focused file for offline analysis.
awk
awkexcels at column‑based processing, useful for structured logs such as Nginx access logs.
Find top attacking IPs:
# Extract IP column, sort, count, and show top 10
awk '{print $1}' access.log | sort | uniq -c | sort -nr | head -n 10Identify slow endpoints (response > 1 s):
# Assuming response time is the last field and URL is field 7
awk '$NF > 1.000 {print $7, $NF}' access.logConclusion
The examples above are common patterns that backend engineers should memorize or bookmark; copying the exact command for the described scenario can dramatically speed up production issue resolution.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
macrozheng
Dedicated to Java tech sharing and dissecting top open-source projects. Topics include Spring Boot, Spring Cloud, Docker, Kubernetes and more. Author’s GitHub project “mall” has 50K+ stars.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.