Log Investigation Techniques

Good log investigation is about narrowing the problem fast: identify the time window, find the failing request, extract the stacktrace, remove noise, then group repeating patterns.

Recommended Workflow

  1. Start with the time window and service name.
  2. Search for ERROR, Exception, request ID, transaction ID, username or endpoint.
  3. Use context lines around the match to understand the sequence.
  4. Summarize duplicate failures to find the main issue.
  5. Correlate with service restarts, deployments, traffic spikes or database/network events.

Command Reference

CommandWhat it doesExample
grep -n 'ERROR' app.logFinds error lines and shows their line numbers.grep -n 'ERROR' app.log
grep -n 'Exception' app.logFinds exception lines with line numbers.grep -n 'Exception' app.log
grep -A 20 -B 5 'NullPointerException' app.logShows lines before and after a match for context.grep -A 20 -B 5 'NullPointerException' app.log
tail -f app.log | grep -E 'ERROR|WARN'Follows logs live and filters serious messages.tail -f app.log | grep -E 'ERROR|WARN'
sed -n '1200,1260p' app.logPrints a selected line range from a log.sed -n '1200,1260p' app.log
awk '/ERROR|WARN|Exception/' app.logPrints lines matching multiple patterns.awk '/ERROR|WARN|Exception/' app.log
zgrep -n 'ERROR' app.log.gzSearches inside compressed logs.zgrep -n 'ERROR' app.log.gz
grep 'requestId=abc123' app.logTraces one request or correlation ID through the log.grep 'requestId=abc123' app.log
grep '2026-03-08' app.logFilters lines for a specific date.grep '2026-03-08' app.log
grep 'ERROR' app.log | sort | uniq -c | sort -nr | headGroups repeated errors to spot the main issue.grep 'ERROR' app.log | sort | uniq -c | sort -nr | head

What to Look For

Built as a practical Linux mastery reference for senior engineers.