Unofficial practice
Sort and Count Repeated Log Lines
A log contains repeated failures. Find the matched line, read the surrounding context, and name the exact field that points to the next check.
Linux One Liners is an independent study and practice resource. It is not affiliated with, endorsed by, or approved by LPI, The Linux Foundation, CompTIA, or any certification provider. This site does not provide exam dumps or real exam questions.
Try first
grep -i error /var/log/syslog | cut -d' ' -f5- | sort | uniq -c | sort -nr | head
Troubleshooting ladder
- Name the symptom.
- Inspect read-only state.
- Find the owner, service, file, device, mount, or route.
- Read the decisive output field.
- Choose the next narrow command.
- Avoid broad or destructive changes.
- Make the smallest justified change if required.
- Verify and record what changed.
drill evidence
Sample output and answer key
Command anatomy
grep -i error /var/log/syslog | cut -d' ' -f5- | sort | uniq -c | sort -nr | head
grep- select matching lines
-n- print line numbers when present
-C- show context before and after the match
pattern- the text or regular expression to search
path- the file or directory being inspected
Annotated output
3 nginx[2310]: open() "/srv/app/current/.env" failed (13: Permission denied)
2 sshd[2249]: Failed password for invalid user deploy from 203.0.113.44
1 app[412]: ERROR db timeout user=ana
What to notice
- count
- how many times this normalized message appeared
- service/process
- which program emitted the message
- message
- the failure text being grouped
- object
- the user, path, address, or resource involved
- next-check
- the command that narrows the highest-count failure
Safe vs unsafe move
Common wrong move
Running uniq -c before sort, which counts only adjacent duplicate lines.
Next safe command
grep -Rni -C2 'Permission denied' /var/log 2>/dev/null | head -80
Goal
Prove the condition with command output before changing the system.
Safe first command
grep -i error /var/log/syslog | cut -d' ' -f5- | sort | uniq -c | sort -nr | head
Correct interpretation
The decisive fields are `count`, `service/process`, `message`. The affected object is the service or process named in the failing line. The next safe command is `grep -Rni -C2 'Permission denied' /var/log 2>/dev/null | head -80` because it narrows the evidence without jumping to a broad fix. Watch out for this wrong move: Running uniq -c before sort, which counts only adjacent duplicate lines.
Next safe command
grep -Rni -C2 'Permission denied' /var/log 2>/dev/null | head -80
Common wrong move
Running uniq -c before sort, which counts only adjacent duplicate lines.
Self-check
Which matched line is decisive, and what object in that line should you inspect next?
source and objective
Related cert objective
Source status: LPI LPIC-1 overview verified July 3, 2026. Current version 5.0; exams 101-500 and 102-500.
Related command pages
Why this matters
The point is not to memorize a flag. It is to read the evidence, name the next safe check, and avoid the tempting broad fix.