$ Linux One Liners
Back to lessons

Hosting Operations

Print a Critical Journal Timeline

You need a compact timeline of severe journal lines with timestamp, source, priority, and message.

Command

journalctl -p err..alert --since "2 hours ago" --no-pager -o short-iso | awk '{print $1, $3, $4, substr($0,index($0,$5))}'

What changed

Nothing changes. The command prints a compact severe-event timeline.

Danger

safe

When to use it

Use when you need to compare app errors, worker exits, and supervisor messages in order.

When not to use it

Do not use it for full forensic retention; export logs through your normal incident process when needed.

Undo or recovery

No undo needed because the command is read-only.

Expected output

Timestamped severe log lines with source, priority, and message.

demo script

Disposable terminal steps

  1. journalctl -p err..alert --since "2 hours ago" --no-pager -o short-iso
  2. journalctl -p err..alert --since "2 hours ago" --no-pager -o short-iso | awk '{print $1, $3, $4, substr($0,index($0,$5))}'
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ journalctl -p err..alert --since "2 hours ago" --no-pager -o short-iso
2026-06-25T14:03:08+00:00 vps api[1842]: err request_id=req-103 ERROR database timeout after 30000ms
2026-06-25T14:03:12+00:00 vps api[1842]: err request_id=req-103 ERROR retry failed upstream=db
2026-06-25T14:05:10+00:00 vps worker[2201]: crit FATAL job runner exited code=137
2026-06-25T14:06:33+00:00 vps api[1842]: err request_id=req-107 ERROR payment provider returned 500
::exit-code::0
$ journalctl -p err..alert --since "2 hours ago" --no-pager -o short-iso | awk '{print $1, $3, $4, substr($0,index($0,$5))}'
2026-06-25T14:03:08+00:00 api[1842]: err request_id=req-103 ERROR database timeout after 30000ms
2026-06-25T14:03:12+00:00 api[1842]: err request_id=req-103 ERROR retry failed upstream=db
2026-06-25T14:05:10+00:00 worker[2201]: crit FATAL job runner exited code=137
2026-06-25T14:06:33+00:00 api[1842]: err request_id=req-107 ERROR payment provider returned 500
::exit-code::0

YouTube Short

Make a severe-event timeline.

When errors cluster together, print only the severe journal timeline. It is easier to reason about order than volume.

LinkedIn hook

Timeline beats guesswork when several failures happen close together.

Question: During incidents, what do you use to reconstruct the first failing event?

experiments

A/B tests to run

Metric: youtube_retention_15s

A: Timeline beats scrolling.

B: Reconstruct severe events in order.