Back to cert prep

Unofficial practice

Sort and Count Repeated Log Lines

A log contains repeated failures. Find the matched line, read the surrounding context, and name the exact field that points to the next check.

Linux One Liners is an independent study and practice resource. It is not affiliated with, endorsed by, or approved by LPI, The Linux Foundation, CompTIA, or any certification provider. This site does not provide exam dumps or real exam questions.

Try first

grep -i error /var/log/syslog | cut -d' ' -f5- | sort | uniq -c | sort -nr | head

Troubleshooting ladder

  1. Name the symptom.
  2. Inspect read-only state.
  3. Find the owner, service, file, device, mount, or route.
  4. Read the decisive output field.
  5. Choose the next narrow command.
  6. Avoid broad or destructive changes.
  7. Make the smallest justified change if required.
  8. Verify and record what changed.

drill evidence

Sample output and answer key

Command anatomy

grep -i error /var/log/syslog | cut -d' ' -f5- | sort | uniq -c | sort -nr | head
grep
select matching lines
-n
print line numbers when present
-C
show context before and after the match
pattern
the text or regular expression to search
path
the file or directory being inspected

Annotated output

3 nginx[2310]: open() "/srv/app/current/.env" failed (13: Permission denied)
2 sshd[2249]: Failed password for invalid user deploy from 203.0.113.44
1 app[412]: ERROR db timeout user=ana

What to notice

count
how many times this normalized message appeared
service/process
which program emitted the message
message
the failure text being grouped
object
the user, path, address, or resource involved
next-check
the command that narrows the highest-count failure

Safe vs unsafe move

Common wrong move

Running uniq -c before sort, which counts only adjacent duplicate lines.

Next safe command

grep -Rni -C2 'Permission denied' /var/log 2>/dev/null | head -80

Goal

Prove the condition with command output before changing the system.

Safe first command

grep -i error /var/log/syslog | cut -d' ' -f5- | sort | uniq -c | sort -nr | head

Correct interpretation

The decisive fields are `count`, `service/process`, `message`. The affected object is the service or process named in the failing line. The next safe command is `grep -Rni -C2 'Permission denied' /var/log 2>/dev/null | head -80` because it narrows the evidence without jumping to a broad fix. Watch out for this wrong move: Running uniq -c before sort, which counts only adjacent duplicate lines.

Next safe command

grep -Rni -C2 'Permission denied' /var/log 2>/dev/null | head -80

Common wrong move

Running uniq -c before sort, which counts only adjacent duplicate lines.

Self-check

Which matched line is decisive, and what object in that line should you inspect next?

source and objective

Related cert objective

Source status: LPI LPIC-1 overview verified July 3, 2026. Current version 5.0; exams 101-500 and 102-500.

Open related practice area

Related command pages

Why this matters

The point is not to memorize a flag. It is to read the evidence, name the next safe check, and avoid the tempting broad fix.