$ Linux One Liners
Back to commands

Hosting Operations

Read-only

See Top Referrers

You need a rough look at which referrers are sending requests.

Command

awk -F'"' '{print $4}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head

Before you run this

System impact: Read-only. Low when scoped to the shown target.

When not to use it: Do not treat referrers as complete analytics; some clients strip or spoof them.

Expected output

A ranked list of referrers.

System impact

Read-only. Nothing changes. The command counts referrer strings.

May require elevated permissions on protected paths or service-owned files.

Recovery / rollback: no state is changed.

When to use it

Use this as a quick server-side sanity check for campaign traffic.

When not to use it

Do not treat referrers as complete analytics; some clients strip or spoof them.

Watch this command run

Command transcript

This sanitized transcript shows the commands and output shape without exposing host details.

demo@lab:~$

$ awk -F'"' '{print $4}' /var/log/nginx/access.log

https://example.com/
-
-

$ awk -F'"' '{print $4}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head

      2 -
      1 https://example.com/

$ tail -n 3 /var/log/nginx/access.log

198.51.100.20 - - [25/Jun/2026:10:01:00 +0000] "GET / HTTP/1.1" 200 512 "https://example.com/" "Mozilla/5.0"
198.51.100.21 - - [25/Jun/2026:10:02:00 +0000] "GET /missing.css HTTP/1.1" 404 120 "-" "ScannerBot"
198.51.100.22 - - [25/Jun/2026:10:03:00 +0000] "GET /api HTTP/1.1" 502 90 "-" "curl/8"
View commands shown

These are the commands shown in the sanitized transcript.

Commands shown

  1. awk -F'"' '{print $4}' /var/log/nginx/access.log
  2. awk -F'"' '{print $4}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head
  3. tail -n 3 /var/log/nginx/access.log

next steps

Related commands

Hosting Operations Read-only

Find Top 404 URLs

The missing file was not random. The access log had a pattern.

awk '$9==404 {print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head
Hosting Operations Read-only

Find Unusually Large Web Responses

A few huge responses can explain bandwidth, latency, and suspicious download patterns.

awk '$10 ~ /^[0-9]+$/ && $10 > 1000000 {print $10, $1, $7, $9}' ./fixtures/nginx/access.log | sort -nr | head
Hosting Operations Read-only

Group Server Errors by URL Path

A 500 spike is easier to triage when the broken path is obvious.

awk '$9 ~ /^5/ {count[$7]++} END {for (path in count) print count[path], path}' ./fixtures/nginx/access.log | sort -nr | head
Hosting Operations Read-only

Summarize HTTP Status Codes

Before chasing individual lines, get the shape of the whole log.

awk '{count[$9]++} END {for (code in count) print count[code], code}' ./fixtures/nginx/access.log | sort -nr
Cybersecurity Triage Read-only

Count the Most Common User Agents

A strange traffic spike often has a strange user agent.

awk -F'"' '{print $6}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr | head
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:103-gnu-unix-commands
  • lfcs:essential-commands
  • lfcs:operations-deployment
  • lfcs:services-logs
  • linuxplus:automation-scripting
  • linuxplus:provisional
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.