awk — Log Correlation
Events per minute — burst detection
journalctl --since "10 minutes ago" --no-pager | awk '{min=$1" "$2" "substr($3,1,5); count[min]++} END{for(m in count) print m, count[m]}' | sortThreshold alert — flag minutes with over 100 events
journalctl --since "10 minutes ago" --no-pager | awk '{min=substr($3,1,5); count[min]++} END{for(m in count) if(count[m]>100) print "ALERT:", m, count[m]}'Count events per log file using FILENAME
awk '{count[FILENAME]++} END{for(f in count) printf "%-40s %d\n",f,count[f]}' /var/log/syslog /var/log/auth.log 2>/dev/nullMerge and deduplicate sorted logs
sort -k1,3 /var/log/syslog /var/log/auth.log 2>/dev/null | awk '!seen[$0]++'Extract log entries between two timestamps
awk '/^Apr 11 14:00/,/^Apr 11 15:00/' /var/log/syslogBucket ISO 8601 timestamps by hour
awk -F'[T:]' '{hour=$1"T"$2; counts[hour]++} END{for(h in counts) printf "%s %d\n",h,counts[h]}' timestamped.log | sortRequests per minute with running average (window of 5)
awk '{gsub(/\[/,"",$4); split($4,t,":"); min=t[2]":"t[3]; rpm[min]++} END{
n=asorti(rpm,sorted)
for(i=1;i<=n;i++){
sum=0; c=0
for(j=i-2;j<=i+2;j++) if(j>=1 && j<=n){sum+=rpm[sorted[j]]; c++}
printf "%s %4d avg=%.0f\n",sorted[i],rpm[sorted[i]],sum/c
}
}' access.log