$ Linux One Liners
Back to lessons

Hosting Operations

Find Unusually Large Web Responses

You need to list large responses from a web access log for operational and defensive review.

Command

awk '$10 ~ /^[0-9]+$/ && $10 > 1000000 {print $10, $1, $7, $9}' ./fixtures/nginx/access.log | sort -nr | head

What changed

Nothing changes. The command filters log entries by byte count.

Danger

safe

When to use it

Use this when investigating bandwidth spikes, slow responses, or repeated downloads of large assets.

When not to use it

Do not assume a large response is suspicious; backups, media files, and releases may be expected.

Undo or recovery

No undo needed because the command is read-only.

Expected output

Large byte counts followed by source IP, path, and status code.

demo script

Disposable terminal steps

  1. awk '{print $10, $7}' ./fixtures/nginx/access.log | sort -nr | head
  2. awk '$10 ~ /^[0-9]+$/ && $10 > 1000000 {print $10, $1, $7, $9}' ./fixtures/nginx/access.log | sort -nr | head
  3. awk '$10 ~ /^[0-9]+$/ {sum+=$10} END {print sum}' ./fixtures/nginx/access.log
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ awk '{print $10, $7}' ./fixtures/nginx/access.log | sort -nr | head
2500000 /download/site-backup.tar
2500000 /download/site-backup.tar
2048 /docs
1700 /search?q=nginx&page=1
1700 /search?q=nginx&page=1
1700 /search?q=nginx&page=1
900 /api/search
512 /
180 /login
180 /admin
::exit-code::0
$ awk '$10 ~ /^[0-9]+$/ && $10 > 1000000 {print $10, $1, $7, $9}' ./fixtures/nginx/access.log | sort -nr | head
2500000 198.51.100.24 /download/site-backup.tar 200
2500000 198.51.100.24 /download/site-backup.tar 200
::exit-code::0
$ awk '$10 ~ /^[0-9]+$/ {sum+=$10} END {print sum}' ./fixtures/nginx/access.log
5010164
::exit-code::0

YouTube Short

Find huge responses fast.

When bandwidth jumps, sort by response size. This does not prove anything by itself, but it shows which paths deserve review.

LinkedIn hook

A few huge responses can explain bandwidth, latency, and suspicious download patterns.

Question: Do you check response size when investigating traffic spikes?

experiments

A/B tests to run

Metric: short_click_through_rate

A: Bandwidth spikes often start with response size.

B: Find the huge web responses first.