Hosting Operations
Read-onlyFind Unusually Large Web Responses
Bandwidth, latency, or egress cost jumped, and you need to see which requests produced unusually large responses.
Command
awk '$10 ~ /^[0-9]+$/ && $10 > 1000000 {print $10, $1, $7, $9}' ./fixtures/nginx/access.log | sort -nr | headBefore you run this
System impact: Read-only. Low when scoped to the shown target.
When not to use it: Do not assume a large response is suspicious. Confirm whether the path is expected content, a backup, a release artifact, or a protected export.
Expected output
Large byte counts followed by source IP, path, and status code, giving you both the object and the client to review.
System impact
Read-only. Nothing changes. The command filters log entries by byte count and prints the request path and source.
Recovery / rollback: no state is changed.
When to use it
Use this when investigating bandwidth spikes, slow responses, repeated downloads, or unexpected large exports.
When not to use it
Do not assume a large response is suspicious. Confirm whether the path is expected content, a backup, a release artifact, or a protected export.
Watch this command run
Command transcript
This sanitized transcript shows the commands and output shape without exposing host details.
$ awk '{print $10, $7}' ./sample-files/nginx/access.log | sort -nr | head
2500000 /download/site-backup.tar
2500000 /download/site-backup.tar
2048 /docs
1700 /search?q=nginx&page=1
1700 /search?q=nginx&page=1
1700 /search?q=nginx&page=1
900 /api/search
512 /
180 /login
180 /admin$ awk '$10 ~ /^[0-9]+$/ && $10 > 1000000 {print $10, $1, $7, $9}' ./sample-files/nginx/access.log | sort -nr | head
2500000 198.51.100.24 /download/site-backup.tar 200
2500000 198.51.100.24 /download/site-backup.tar 200$ awk '$10 ~ /^[0-9]+$/ {sum+=$10} END {print sum}' ./sample-files/nginx/access.log
5010164View commands shown
These are the commands shown in the sanitized transcript.
Commands shown
awk '{print $10, $7}' ./fixtures/nginx/access.log | sort -nr | headawk '$10 ~ /^[0-9]+$/ && $10 > 1000000 {print $10, $1, $7, $9}' ./fixtures/nginx/access.log | sort -nr | headawk '$10 ~ /^[0-9]+$/ {sum+=$10} END {print sum}' ./fixtures/nginx/access.log
next steps
Related commands
Group Server Errors by URL Path
A 500 spike is easier to triage when the broken path is obvious.
awk '$9 ~ /^5/ {count[$7]++} END {for (path in count) print count[path], path}' ./fixtures/nginx/access.log | sort -nr | head
Summarize HTTP Status Codes
Before chasing individual lines, get the shape of the whole log.
awk '{count[$9]++} END {for (code in count) print count[code], code}' ./fixtures/nginx/access.log | sort -nr
Find Top 404 URLs
The missing file was not random. The access log had a pattern.
awk '$9==404 {print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head
See Top Referrers
LinkedIn traffic was not a guess. The referrer field showed it.
awk -F'"' '{print $4}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head
Find the IPs Creating the Most 4xx Noise
One address can turn a normal access log into a wall of failed requests.
awk '$9 ~ /^4/ {count[$1]++} END {for (ip in count) print count[ip], ip}' ./fixtures/nginx/access.log | sort -nr | head
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.