Back to commands

Hosting Operations

Read-only, can be slow

Group Journal Errors by Unit

Recent journal errors mention several processes and you need to see which unit or source is producing most of them.

Command

journalctl -p err..alert --since "2 hours ago" --no-pager -o short-iso | awk '{split($3,a,"["); unit=a[1]; count[unit]++} END {for (u in count) print count[u], u}' | sort -nr

Before you run this

System impact: Read-only. Can create load on large logs, directories, filesystems, or process tables.

When not to use it: Do not assume the noisiest unit caused the incident; it may only be reporting downstream failure.

Expected output

Counts followed by unit or process names.

System impact

Read-only, can be slow. Nothing changes. The command groups severe journal entries by source field.

Scope this to the smallest useful path or service on busy systems.

Recovery / rollback: no state is changed.

When to use it

Use after a severity summary to decide which service log deserves attention first.

When not to use it

Do not assume the noisiest unit caused the incident; it may only be reporting downstream failure.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ journalctl -p err..alert --since "2 hours ago" --no-pager -o short-iso

2026-06-25T14:03:08+00:00 vps api[1842]: err request_id=req-103 ERROR database timeout after 30000ms
2026-06-25T14:03:12+00:00 vps api[1842]: err request_id=req-103 ERROR retry failed upstream=db
2026-06-25T14:05:10+00:00 vps worker[2201]: crit FATAL job runner exited code=137
2026-06-25T14:06:33+00:00 vps api[1842]: err request_id=req-107 ERROR payment provider returned 500

$ journalctl -p err..alert --since "2 hours ago" --no-pager -o short-iso | awk '{split($3,a,"["); unit=a[1]; count[unit]++} END {for (u in count) print count[u], u}' | sort -nr

3 api
1 worker
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. journalctl -p err..alert --since "2 hours ago" --no-pager -o short-iso
  2. journalctl -p err..alert --since "2 hours ago" --no-pager -o short-iso | awk '{split($3,a,"["); unit=a[1]; count[unit]++} END {for (u in count) print count[u], u}' | sort -nr

next steps

Related commands

Hosting Operations Can be slow

Summarize Journal Severity During an Incident

Start with severity counts before opening every log line.

journalctl -p warning..alert --since "2 hours ago" --no-pager -o short-iso | awk '{count[$4]++} END {for (level in count) print count[level], level}' | sort -nr
Hosting Operations Can be slow

Print a Critical Journal Timeline

Timeline beats guesswork when several failures happen close together.

journalctl -p err..alert --since "2 hours ago" --no-pager -o short-iso | awk '{print $1, $3, $4, substr($0,index($0,$5))}'
Hosting Operations Read-only

Count App Errors by Minute

A minute-by-minute count shows whether an incident is a spike or a drip.

awk 'tolower($0) ~ /(error|fatal|timeout|exception)/ {minute=substr($1,1,16); count[minute]++} END {for (m in count) print count[m], m}' fixtures/incidents/app.log | sort -nr
Hosting Operations Read-only

Summarize HTTP Status Codes

Before chasing individual lines, get the shape of the whole log.

awk '{count[$9]++} END {for (code in count) print count[code], code}' ./fixtures/nginx/access.log | sort -nr
Hosting Operations Read-only

Group Server Errors by URL Path

A 500 spike is easier to triage when the broken path is obvious.

awk '$9 ~ /^5/ {count[$7]++} END {for (path in count) print count[path], path}' ./fixtures/nginx/access.log | sort -nr | head
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:101-system-architecture
  • lpic1:103-gnu-unix-commands
  • lpic1:108-essential-services
  • lfcs:essential-commands
  • lfcs:operations-deployment
  • lfcs:services-logs
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • linuxplus:services-users
  • linuxplus:troubleshooting
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.