Hosting Operations
Read-onlySummarize HTTP Status Codes
A web incident has too many log lines to read one by one, and you need the response-code shape before choosing the next drill-down.
Command
awk '{count[$9]++} END {for (code in count) print count[code], code}' ./fixtures/nginx/access.log | sort -nrBefore you run this
System impact: Read-only. Low when scoped to the shown target.
When not to use it: Do not stop at the summary. Follow suspicious code families by IP, path, and time window before changing config or blocking clients.
Expected output
Counts followed by HTTP status codes, usually enough to show whether 4xx, 5xx, redirects, or 2xx responses dominate.
System impact
Read-only. Nothing changes. The command reads the log and counts response codes; real logs can contain IPs, paths, and user data, so handle output as operational evidence.
Recovery / rollback: no state is changed.
When to use it
Use this as the first pass when deciding whether the incident is mostly redirects, client errors, server errors, or normal traffic with a few noisy lines.
When not to use it
Do not stop at the summary. Follow suspicious code families by IP, path, and time window before changing config or blocking clients.
Watch this command run
Command transcript
This sanitized transcript shows the commands and output shape without exposing host details.
$ head -5 ./sample-files/nginx/access.log
198.51.100.10 - - [25/Jun/2026:10:00:01 +0000] "GET / HTTP/1.1" 200 512 "-" "Mozilla/5.0"
198.51.100.11 - - [25/Jun/2026:10:00:03 +0000] "GET /docs HTTP/1.1" 200 2048 "https://example.com/" "Mozilla/5.0"
198.51.100.12 - - [25/Jun/2026:10:00:08 +0000] "POST /api/search HTTP/1.1" 200 900 "-" "Mozilla/5.0"
203.0.113.44 - - [25/Jun/2026:10:01:01 +0000] "GET /missing HTTP/1.1" 404 120 "-" "ScannerBot/1.0"
203.0.113.44 - - [25/Jun/2026:10:01:03 +0000] "GET /missing HTTP/1.1" 404 120 "-" "ScannerBot/1.0"$ awk '{count[$9]++} END {for (code in count) print count[code], code}' ./sample-files/nginx/access.log | sort -nr
13 200
5 404
2 405
2 403
1 503
1 502
1 500$ awk '$9 ~ /^5/ {print $1, $7, $9}' ./sample-files/nginx/access.log
198.51.100.21 /api/report 500
198.51.100.22 /api/report 502
198.51.100.23 /api/report 503View commands shown
These are the commands shown in the sanitized transcript.
Commands shown
head -5 ./fixtures/nginx/access.logawk '{count[$9]++} END {for (code in count) print count[code], code}' ./fixtures/nginx/access.log | sort -nrawk '$9 ~ /^5/ {print $1, $7, $9}' ./fixtures/nginx/access.log
next steps
Related commands
Group Server Errors by URL Path
A 500 spike is easier to triage when the broken path is obvious.
awk '$9 ~ /^5/ {count[$7]++} END {for (path in count) print count[path], path}' ./fixtures/nginx/access.log | sort -nr | head
Find Unusually Large Web Responses
A few huge responses can explain bandwidth, latency, and suspicious download patterns.
awk '$10 ~ /^[0-9]+$/ && $10 > 1000000 {print $10, $1, $7, $9}' ./fixtures/nginx/access.log | sort -nr | head
Count App Errors by Minute
A minute-by-minute count shows whether an incident is a spike or a drip.
awk 'tolower($0) ~ /(error|fatal|timeout|exception)/ {minute=substr($1,1,16); count[minute]++} END {for (m in count) print count[m], m}' fixtures/incidents/app.log | sort -nr
Summarize Journal Severity During an Incident
Start with severity counts before opening every log line.
journalctl -p warning..alert --since "2 hours ago" --no-pager -o short-iso | awk '{count[$4]++} END {for (level in count) print count[level], level}' | sort -nr
Find the IPs Creating the Most 4xx Noise
One address can turn a normal access log into a wall of failed requests.
awk '$9 ~ /^4/ {count[$1]++} END {for (ip in count) print count[ip], ip}' ./fixtures/nginx/access.log | sort -nr | head
Study mapping
Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.
Useful for
- LPIC-1 style command-line practice
- LFCS style performance tasks
- Linux+ style troubleshooting review
Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.