Master Linux Log Analysis: Tail, Less, Grep, Sed & Awk for Real‑World Debugging

When a production error appears, reading a 2 GB log with cat is impractical. This guide shows how backend engineers can efficiently inspect large logs using Linux utilities tail, less, grep, sed and awk through concrete scenarios.

tail

Use tail -f logs/application.log to follow a log in real time, e.g., during service restart to verify Spring Boot startup.

To view only the last 200 lines while following: tail -n 200 -f logs/application.log.

less

Open large logs with less logs/application.log. Navigate to the end with Shift+G, search backwards with ?ORD12345678, repeat with n, and switch to follow mode with Shift+F (similar to tail -f), exit with Ctrl+C.

grep

Search for keywords and context. Example to see 20 lines around a NullPointerException: grep -C 20 "NullPointerException" logs/application.log.

Find all occurrences of a TraceId across rotated logs: grep "TraceId-20251219001" logs/app.log*.

Count occurrences of a specific exception: grep -c "RedisConnectionException" logs/application.log.

Exclude noisy lines, e.g., health checks: grep -v "HealthCheck" logs/application.log.

sed

Extract a time window from a huge log without downloading the whole file. Example extracting lines between 14:00 and 14:05 on 2025‑12‑19:

sed -n '/2025-12-19 14:00/,/2025-12-19 14:05/p' logs/application.log > error_segment.log

.

awk

Analyze column‑based logs. To list the top 10 IPs generating the most requests:

awk '{print $1}' access.log | sort | uniq -c | sort -nr | head -n 10

.

Find requests with response time greater than 1 second (assuming response time is the last field and URL is the 7th): awk '$NF > 1.000 {print $7, $NF}' access.log.

Memorize these commands or bookmark the guide; they enable quick, copy‑paste troubleshooting in production environments.