Linux Survival Basics

Read-only

Show Context Around the First App Error

An application log has many lines, and you need the few lines leading into the first error.

Command

awk '{buf[NR%5]=$0} tolower($0) ~ /(error|exception|fatal)/ {for (i=NR-4;i<=NR;i++) if (i>0) print buf[i%5]; exit}' fixtures/incidents/app.log

Before you run this

System impact: Read-only. Low when scoped to the shown target.

When not to use it: Do not use it when you need every occurrence; this intentionally exits after the first match.

Expected output

Several lines ending at the first error, exception, or fatal log entry.

System impact

Read-only. Nothing changes. The command prints buffered context around the first severe application line.

Recovery / rollback: no state is changed.

When to use it

Use when the first failure context matters more than repeated downstream errors.

When not to use it

Do not use it when you need every occurrence; this intentionally exits after the first match.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ head -8 sample-files/incidents/app.log

2026-06-25T14:00:01Z level=INFO service=api request_id=req-100 msg=started release=2026.06.25.1
2026-06-25T14:01:14Z level=INFO service=worker request_id=req-101 msg=queue_depth value=18
2026-06-25T14:02:06Z level=WARN service=api request_id=req-102 msg=upstream_slow upstream=db latency_ms=2200
2026-06-25T14:03:08Z level=ERROR service=api request_id=req-103 msg=database_timeout timeout_ms=30000
2026-06-25T14:03:12Z level=ERROR service=api request_id=req-103 msg=retry_failed upstream=db
2026-06-25T14:04:44Z level=INFO service=deploy request_id=req-104 msg=release_switch release=2026.06.25.2
2026-06-25T14:05:10Z level=FATAL service=worker request_id=req-105 msg=job_runner_exit code=137
2026-06-25T14:05:12Z level=INFO service=system request_id=req-106 msg=worker_restarted

$ awk '{buf[NR%5]=$0} tolower($0) ~ /(error|exception|fatal)/ {for (i=NR-4;i<=NR;i++) if (i>0) print buf[i%5]; exit}' sample-files/incidents/app.log

2026-06-25T14:00:01Z level=INFO service=api request_id=req-100 msg=started release=2026.06.25.1
2026-06-25T14:01:14Z level=INFO service=worker request_id=req-101 msg=queue_depth value=18
2026-06-25T14:02:06Z level=WARN service=api request_id=req-102 msg=upstream_slow upstream=db latency_ms=2200
2026-06-25T14:03:08Z level=ERROR service=api request_id=req-103 msg=database_timeout timeout_ms=30000

View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

head -8 fixtures/incidents/app.log
awk '{buf[NR%5]=$0} tolower($0) ~ /(error|exception|fatal)/ {for (i=NR-4;i<=NR;i++) if (i>0) print buf[i%5]; exit}' fixtures/incidents/app.log

next steps

Related commands

Hosting Operations Can be slow

Count Request IDs in Error Lines

Repeated request IDs can connect separate error lines to one failing path.

grep -Ei 'error|timeout|fatal|exception' fixtures/incidents/app.log | awk '{for (i=1;i<=NF;i++) if ($i ~ /^request_id=/) print $i}' | sort | uniq -c | sort -nr

Hosting Operations Read-only

Count App Errors by Minute

A minute-by-minute count shows whether an incident is a spike or a drip.

awk 'tolower($0) ~ /(error|fatal|timeout|exception)/ {minute=substr($1,1,16); count[minute]++} END {for (m in count) print count[m], m}' fixtures/incidents/app.log | sort -nr

Linux Survival Basics Read-only

Map systemd Timers to Services

A timer is only half the scheduled job. The service is the payload.

systemctl list-timers --all --no-pager --plain | awk 'NR==1 || /\.timer/ {print $(NF-1), "->", $NF}'

Linux Survival Basics Can be slow

Find Errors Before Reading Every Log Line

The error was in the log. The problem was finding it without reading noise.

grep -iE 'error|failed|denied|timeout' /var/log/nginx/error.log | tail -40