$ Linux One Liners
Back to lessons

Cybersecurity Triage

Spot Request Bursts by Minute

You need to find the busiest minute-level windows in an access log.

Command

awk '{minute=substr($4,2,17); count[minute]++} END {for (m in count) print count[m], m}' ./fixtures/nginx/access.log | sort -nr | head

What changed

Nothing changes. The command groups requests by minute and prints the busiest buckets.

Danger

safe

When to use it

Use this when checking whether suspicious traffic is steady background noise or a short burst.

When not to use it

Do not use minute buckets for precise incident timelines; preserve raw logs for detailed analysis.

Undo or recovery

No undo needed because the command is read-only.

Expected output

A descending list of request counts followed by minute timestamps.

demo script

Disposable terminal steps

  1. awk '{print substr($4,2,17)}' ./fixtures/nginx/access.log | head
  2. awk '{minute=substr($4,2,17); count[minute]++} END {for (m in count) print count[m], m}' ./fixtures/nginx/access.log | sort -nr | head
  3. awk '{minute=substr($4,2,17); count[minute]++} END {for (m in count) print count[m], m}' ./fixtures/nginx/access.log | sort
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ awk '{print substr($4,2,17)}' ./fixtures/nginx/access.log | head
25/Jun/2026:10:00
25/Jun/2026:10:00
25/Jun/2026:10:00
25/Jun/2026:10:01
25/Jun/2026:10:01
25/Jun/2026:10:01
25/Jun/2026:10:01
25/Jun/2026:10:01
25/Jun/2026:10:01
25/Jun/2026:10:01
::exit-code::0
$ awk '{minute=substr($4,2,17); count[minute]++} END {for (m in count) print count[m], m}' ./fixtures/nginx/access.log | sort -nr | head
7 25/Jun/2026:10:01
5 25/Jun/2026:10:04
5 25/Jun/2026:10:03
5 25/Jun/2026:10:02
3 25/Jun/2026:10:00
::exit-code::0
$ awk '{minute=substr($4,2,17); count[minute]++} END {for (m in count) print count[m], m}' ./fixtures/nginx/access.log | sort
3 25/Jun/2026:10:00
5 25/Jun/2026:10:02
5 25/Jun/2026:10:03
5 25/Jun/2026:10:04
7 25/Jun/2026:10:01
::exit-code::0

YouTube Short

Bucket requests by minute.

Before reading hundreds of log lines, group requests by minute. A burst stands out immediately, and you still have the raw log for deeper review.

LinkedIn hook

Traffic spikes are easier to read when you bucket them by time.

Question: When traffic spikes, do you inspect raw lines first or bucket by time?

experiments

A/B tests to run

Metric: youtube_retention_15s

A: The spike is obvious once you bucket by minute.

B: Stop reading every line. Count the burst.